mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2026-03-26 19:43:05 -04:00
48d2af5561
Submitting the repo avatar form without selecting a file shows a raw Go error: `Avatar.Open: open : no such file or directory.`. The existing `nil` check does not prevent this from happening.
The user avatar handler already guards against this same problem with [`form.Avatar != nil && form.Avatar.Filename != ""`](e1cecbd276/routers/web/user/setting/profile.go (L141)), I've done the same for the repo avatar handler.
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11335
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Bram Hagens <bram@bramh.me>
Co-committed-by: Bram Hagens <bram@bramh.me>
45 lines
1.1 KiB
Go
45 lines
1.1 KiB
Go
// Copyright 2018 The Gitea Authors. All rights reserved.
|
|
// Copyright 2026 The Forgejo Authors. All rights reserved.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package forms
|
|
|
|
import (
|
|
"errors"
|
|
"fmt"
|
|
"io"
|
|
"mime/multipart"
|
|
|
|
"forgejo.org/modules/setting"
|
|
"forgejo.org/modules/translation"
|
|
"forgejo.org/modules/typesniffer"
|
|
)
|
|
|
|
// ReadAvatar reads and validates an avatar from a multipart file header.
|
|
func ReadAvatar(header *multipart.FileHeader, locale translation.Locale) ([]byte, error) {
|
|
if header == nil || header.Filename == "" {
|
|
return nil, nil
|
|
}
|
|
|
|
r, err := header.Open()
|
|
if err != nil {
|
|
return nil, fmt.Errorf("Avatar.Open: %w", err)
|
|
}
|
|
defer r.Close()
|
|
|
|
if header.Size > setting.Avatar.MaxFileSize {
|
|
return nil, errors.New(locale.TrString("settings.uploaded_avatar_is_too_big", header.Size/1024, setting.Avatar.MaxFileSize/1024))
|
|
}
|
|
|
|
data, err := io.ReadAll(r)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("io.ReadAll: %w", err)
|
|
}
|
|
|
|
st := typesniffer.DetectContentType(data, "")
|
|
if !st.IsImage() || st.IsSvgImage() {
|
|
return nil, errors.New(locale.TrString("settings.uploaded_avatar_not_a_image"))
|
|
}
|
|
|
|
return data, nil
|
|
}
|