Send 404 immediately for known public requests (#11117)

Instead of further handling requests to public which causes issues like #11088, immediately terminate requests to directories js, css, fomantic if no file is found which is checked against a hardcoded list. Maybe there is a way to retrieve the top-level entries below public in a dynamic fashion.

I also added fomantic to the reserved usernames and sorted the list.

Fixes: #11088
release/v1.15
silverwind 2020-04-18 23:01:06 +02:00 committed by GitHub
parent 6034f8bcaa
commit 5180deb819
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 30 additions and 7 deletions

View File

@ -844,16 +844,20 @@ func (u *User) IsGhost() bool {
var (
reservedUsernames = []string{
"attachments",
".",
"..",
".well-known",
"admin",
"api",
"assets",
"attachments",
"avatars",
"commits",
"css",
"debug",
"error",
"explore",
"fomantic",
"ghost",
"help",
"img",
@ -861,6 +865,7 @@ var (
"issues",
"js",
"less",
"login",
"manifest.json",
"metrics",
"milestones",
@ -871,16 +876,12 @@ var (
"pulls",
"raw",
"repo",
"robots.txt",
"search",
"stars",
"template",
"user",
"vendor",
"login",
"robots.txt",
".",
"..",
".well-known",
"search",
}
reservedUserPatterns = []string{"*.keys", "*.gpg"}
)

View File

@ -30,6 +30,15 @@ type Options struct {
Prefix string
}
// List of known entries inside the `public` directory
var knownEntries = []string{
"css",
"fomantic",
"img",
"js",
"vendor",
}
// Custom implements the macaron static handler for serving custom assets.
func Custom(opts *Options) macaron.Handler {
return opts.staticHandler(path.Join(setting.CustomPath, "public"))
@ -99,6 +108,19 @@ func (opts *Options) handle(ctx *macaron.Context, log *log.Logger, opt *Options)
f, err := opt.FileSystem.Open(file)
if err != nil {
// 404 requests to any known entries in `public`
if path.Base(opts.Directory) == "public" {
parts := strings.Split(file, "/")
if len(parts) < 2 {
return false
}
for _, entry := range knownEntries {
if entry == parts[1] {
ctx.Resp.WriteHeader(404)
return true
}
}
}
return false
}
defer f.Close()