mirror of
https://github.com/go-gitea/gitea.git
synced 2026-07-16 04:42:51 -05:00
Bad MD5 filename for non-default avatars #10312
Closed
opened 2025-11-02 09:03:54 -06:00 by GiteaMirror
·
6 comments
No Branch/Tag Specified
main
release/v1.25
release/v1.24
release/v1.23
release/v1.22
release/v1.21
release/v1.20
release/v1.19
release/v1.18
release/v1.17
release/v1.16
release/v1.15
release/v1.14
release/v1.13
release/v1.12
release/v1.11
release/v1.10
release/v1.9
release/v1.8
v1.25.3
v1.25.2
v1.25.1
v1.25.0
v1.24.7
v1.25.0-rc0
v1.26.0-dev
v1.24.6
v1.24.5
v1.24.4
v1.24.3
v1.24.2
v1.24.1
v1.24.0
v1.23.8
v1.24.0-rc0
v1.25.0-dev
v1.23.7
v1.23.6
v1.23.5
v1.23.4
v1.23.3
v1.23.2
v1.23.1
v1.23.0
v1.23.0-rc0
v1.24.0-dev
v1.22.6
v1.22.5
v1.22.4
v1.22.3
v1.22.2
v1.22.1
v1.22.0
v1.23.0-dev
v1.22.0-rc1
v1.21.11
v1.22.0-rc0
v1.21.10
v1.21.9
v1.21.8
v1.21.7
v1.21.6
v1.21.5
v1.21.4
v1.21.3
v1.21.2
v1.20.6
v1.21.1
v1.21.0
v1.21.0-rc2
v1.21.0-rc1
v1.20.5
v1.22.0-dev
v1.21.0-rc0
v1.20.4
v1.20.3
v1.20.2
v1.20.1
v1.20.0
v1.19.4
v1.21.0-dev
v1.20.0-rc2
v1.20.0-rc1
v1.20.0-rc0
v1.19.3
v1.19.2
v1.19.1
v1.19.0
v1.19.0-rc1
v1.20.0-dev
v1.19.0-rc0
v1.18.5
v1.18.4
v1.18.3
v1.18.2
v1.18.1
v1.18.0
v1.17.4
v1.18.0-rc1
v1.19.0-dev
v1.18.0-rc0
v1.17.3
v1.17.2
v1.17.1
v1.17.0
v1.17.0-rc2
v1.16.9
v1.17.0-rc1
v1.18.0-dev
v1.16.8
v1.16.7
v1.16.6
v1.16.5
v1.16.4
v1.16.3
v1.16.2
v1.16.1
v1.16.0
v1.15.11
v1.17.0-dev
v1.16.0-rc1
v1.15.10
v1.15.9
v1.15.8
v1.15.7
v1.15.6
v1.15.5
v1.15.4
v1.15.3
v1.15.2
v1.15.1
v1.14.7
v1.15.0
v1.15.0-rc3
v1.14.6
v1.15.0-rc2
v1.14.5
v1.16.0-dev
v1.15.0-rc1
v1.14.4
v1.14.3
v1.14.2
v1.14.1
v1.14.0
v1.13.7
v1.14.0-rc2
v1.13.6
v1.13.5
v1.14.0-rc1
v1.15.0-dev
v1.13.4
v1.13.3
v1.13.2
v1.13.1
v1.13.0
v1.12.6
v1.13.0-rc2
v1.14.0-dev
v1.13.0-rc1
v1.12.5
v1.12.4
v1.12.3
v1.12.2
v1.12.1
v1.11.8
v1.12.0
v1.11.7
v1.12.0-rc2
v1.11.6
v1.12.0-rc1
v1.13.0-dev
v1.11.5
v1.11.4
v1.11.3
v1.10.6
v1.12.0-dev
v1.11.2
v1.10.5
v1.11.1
v1.10.4
v1.11.0
v1.11.0-rc2
v1.10.3
v1.11.0-rc1
v1.10.2
v1.10.1
v1.10.0
v1.9.6
v1.9.5
v1.10.0-rc2
v1.11.0-dev
v1.10.0-rc1
v1.9.4
v1.9.3
v1.9.2
v1.9.1
v1.9.0
v1.9.0-rc2
v1.10.0-dev
v1.9.0-rc1
v1.8.3
v1.8.2
v1.8.1
v1.8.0
v1.8.0-rc3
v1.7.6
v1.8.0-rc2
v1.7.5
v1.8.0-rc1
v1.9.0-dev
v1.7.4
v1.7.3
v1.7.2
v1.7.1
v1.7.0
v1.7.0-rc3
v1.6.4
v1.7.0-rc2
v1.6.3
v1.7.0-rc1
v1.7.0-dev
v1.6.2
v1.6.1
v1.6.0
v1.6.0-rc2
v1.5.3
v1.6.0-rc1
v1.6.0-dev
v1.5.2
v1.5.1
v1.5.0
v1.5.0-rc2
v1.5.0-rc1
v1.5.0-dev
v1.4.3
v1.4.2
v1.4.1
v1.4.0
v1.4.0-rc3
v1.4.0-rc2
v1.3.3
v1.4.0-rc1
v1.3.2
v1.3.1
v1.3.0
v1.3.0-rc2
v1.3.0-rc1
v1.2.3
v1.2.2
v1.2.1
v1.2.0
v1.2.0-rc3
v1.2.0-rc2
v1.1.4
v1.2.0-rc1
v1.1.3
v1.1.2
v1.1.1
v1.1.0
v1.0.2
v1.0.1
v1.0.0
v0.9.99
Labels
Clear labels
$20
$250
$50
$500
backport/done
💎 Bounty
docs-update-needed
good first issue
hacktoberfest
issue/bounty
issue/confirmed
issue/critical
issue/duplicate
issue/needs-feedback
issue/not-a-bug
issue/regression
issue/stale
issue/workaround
lgtm/need 2
modifies/api
modifies/translation
outdated/backport/v1.18
outdated/theme/markdown
outdated/theme/timetracker
performance/bigrepo
performance/cpu
performance/memory
performance/speed
pr/breaking
proposal/accepted
proposal/rejected
pr/wip
pull-request
reviewed/wontfix
💰 Rewarded
skip-changelog
status/blocked
topic/accessibility
topic/api
topic/authentication
topic/build
topic/code-linting
topic/commit-signing
topic/content-rendering
topic/deployment
topic/distribution
topic/federation
topic/gitea-actions
topic/issues
topic/lfs
topic/mobile
topic/moderation
topic/packages
topic/pr
topic/projects
topic/repo
topic/repo-migration
topic/security
topic/theme
topic/ui
topic/ui-interaction
topic/ux
topic/webhooks
topic/wiki
type/bug
type/deprecation
type/docs
type/enhancement
type/feature
type/miscellaneous
type/proposal
type/question
type/refactoring
type/summary
type/testing
type/upstream
Mirrored from GitHub Pull Request
No Label
type/bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
No Assignees
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: github-starred/gitea#10312
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @astos-marcb on GitHub (Feb 21, 2023).
Originally assigned to: @Zettat123 on GitHub.
Description
The avatar picture endpoint always returns the
defaultpicture.See difference to actual profile picture for account
Path for the
non-defaultpicture resolves to the file content hashmd5(<id>-<md5(content)>)(as saved in u.Avatar) instead of the standardizedmd5(email).Gitea Version
1.18.4
Can you reproduce the bug on the Gitea demo site?
Yes
Log Gist
No response
Screenshots
No response
Git Version
2.36.5
Operating System
Alpine Linux
How are you running Gitea?
docker, verified on https://try.gitea.io/
Database
SQLite
@Zettat123 commented on GitHub (Feb 22, 2023):
Maybe you want to get your custom avatar by accessing
/avatars/{hash}and thehashismd5(email)?Actually the hash filename only indicates a file, not a user.
@astos-marcb commented on GitHub (Feb 22, 2023):
Exactly, the current user avatar should always be available at
/avatars/{md5(email)}(standardized endpoint for avatars).The default avatar is saved to the correct file name, a custom avatar is not.
Instead, a user+content-derived hash is used as the filename (value in
User.Avatar) instead ofmd5(email).Setting the default avatar will actually change the value in
User.Avatartomd5(email), which in turn does not conform to the expected value in other parts of the code (detecting re-upload of same picture for a user).An easy fix in CustomAvatarRelativePath would be to just throw away what's saved in
User.Avatar(the user/content-derived MD5 sum in case of custom avatar) and just always use the correct filename conforming toavatars.HashEmail(User.Email).This will of course break references to existing custom avatars which are already saved to a misnamed files…
@Zettat123 commented on GitHub (Feb 23, 2023):
Gitea's avatar service is not de designed to be a service like Gravatar. The hash filename only used to distinguish between different files.
Sorry I couldn't help more because we have no plans to develop this feature in the short term. Please feel free to reopen this issue if you still need help.
@zeripath commented on GitHub (Mar 4, 2023):
It's a fairly interesting idea for Gitea to implement/replicate Gravatar's funcitonality and I don't believe that it would be too difficult to do this - but yes I don't believe that it is a bug that Gitea does not implement this.
@astos-marcb you could open a feature request but you'd need to link to the specs for it.
@astos-marcb commented on GitHub (Mar 9, 2023):
In a way Gitea does already implement/provide it (supply an avatar picture at URL
/avatars/{md5(email)})The problem is that default (generated) and custom (uploaded) avatars are not named and treated equally (endpoint always resolves to the default avatar file).
A quick-and-dirty and incomplete solution would be to forgo content checking and always save the avatar file as
avatars/{md5(mail)}.This would not solve the conflicting naming conventions for
useravatar andrepoavatar and has no chance of supporting multiple mail addresses for the same user.Ideally, logic used for repository avatar filenames (
{repo-id}-{upload-checksum}) should be used and a correct mapping from all email entries of a user should be done in the router layer.The default (out of the box) behavior of creating the default file with a different name would not have any drawbacks (assuming the router part is working as described).
A possible middle ground (and easy to debug solution) would employ:
{user-id}-{upload-checksum})md5(email)links for all mail entries for a user (guaranteed to be unique per instance).For migrating user-supplied avatars the transformed name can be just
{user-id}-<zeros>to indicate unknown/discarded content checksum (it currently gets rehashed with the user mail address).@astos-marcb commented on GitHub (Mar 9, 2023):
Hm, there are already done some changes to unify avatar naming for
v1.20.Will have a look how/if this affects current
/avatars/{md5(email)}behavior (break/improve?).UNAFFECTED: The filename for generated avatars (still) uses
md5({email})instead of new/unifiedsha256({user}-{data}).