From 257b7171c34446e73fc83186f859e9b9ce67be76 Mon Sep 17 00:00:00 2001
From: Gusted <williamzijl7@hotmail.com>
Date: Thu, 18 Nov 2021 13:25:56 +0000
Subject: [PATCH] Fix possible panic (#17694)

- The code will get the first and second character `link[{0,1]]`.
However in a rare case the `link` could have 1 character and thus the
`link[1]` will create a panic.
---
 models/repo_avatar.go | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/models/repo_avatar.go b/models/repo_avatar.go
index aa1b3bc15f..6c83e11a53 100644
--- a/models/repo_avatar.go
+++ b/models/repo_avatar.go
@@ -108,12 +108,11 @@ func (repo *Repository) AvatarLink() string {
 // avatarLink returns user avatar absolute link.
 func (repo *Repository) avatarLink(e db.Engine) string {
 	link := repo.relAvatarLink(e)
-	// link may be empty!
-	if len(link) > 0 {
-		if link[0] == '/' && link[1] != '/' {
-			return setting.AppURL + strings.TrimPrefix(link, setting.AppSubURL)[1:]
-		}
+	// we only prepend our AppURL to our known (relative, internal) avatar link to get an absolute URL
+	if strings.HasPrefix(link, "/") && !strings.HasPrefix(link, "//") {
+		return setting.AppURL + strings.TrimPrefix(link, setting.AppSubURL)[1:]
 	}
+	// otherwise, return the link as it is
 	return link
 }