diff --git a/pkg/api/avatar/avatar.go b/pkg/api/avatar/avatar.go
--- a/pkg/api/avatar/avatar.go
+++ b/pkg/api/avatar/avatar.go
@@ -17,14 +17,15 @@ import (
"net/http"
"net/url"
"path/filepath"
+ "regexp"
"strconv"
"strings"
"sync"
"time"
"github.com/grafana/grafana/pkg/infra/log"
+ "github.com/grafana/grafana/pkg/models"
"github.com/grafana/grafana/pkg/setting"
- "gopkg.in/macaron.v1"
gocache "github.com/patrickmn/go-cache"
)
@@ -97,9 +98,15 @@ type CacheServer struct {
cache *gocache.Cache
}
-func (this *CacheServer) Handler(ctx *macaron.Context) {
- urlPath := ctx.Req.URL.Path
- hash := urlPath[strings.LastIndex(urlPath, "/")+1:]
+var validMD5 = regexp.MustCompile("^[a-fA-F0-9]{32}$")
+
+func (this *CacheServer) Handler(ctx *models.ReqContext) {
+ hash := ctx.Params("hash")
+
+ if len(hash) != 32 || !validMD5.MatchString(hash) {
+ ctx.JsonApiErr(404, "Avatar not found", nil)
+ return
+ }
var avatar *Avatar