1
0
mirror of https://github.com/go-gitea/gitea.git synced 2025-01-03 14:57:55 -05:00

Send 404 immediately for known public requests (#11117)

Instead of further handling requests to public which causes issues like #11088, immediately terminate requests to directories js, css, fomantic if no file is found which is checked against a hardcoded list. Maybe there is a way to retrieve the top-level entries below public in a dynamic fashion.

I also added fomantic to the reserved usernames and sorted the list.

Fixes: #11088
This commit is contained in:
silverwind 2020-04-18 23:01:06 +02:00 committed by GitHub
parent 6034f8bcaa
commit 5180deb819
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 30 additions and 7 deletions

View File

@ -844,16 +844,20 @@ func (u *User) IsGhost() bool {
var ( var (
reservedUsernames = []string{ reservedUsernames = []string{
"attachments", ".",
"..",
".well-known",
"admin", "admin",
"api", "api",
"assets", "assets",
"attachments",
"avatars", "avatars",
"commits", "commits",
"css", "css",
"debug", "debug",
"error", "error",
"explore", "explore",
"fomantic",
"ghost", "ghost",
"help", "help",
"img", "img",
@ -861,6 +865,7 @@ var (
"issues", "issues",
"js", "js",
"less", "less",
"login",
"manifest.json", "manifest.json",
"metrics", "metrics",
"milestones", "milestones",
@ -871,16 +876,12 @@ var (
"pulls", "pulls",
"raw", "raw",
"repo", "repo",
"robots.txt",
"search",
"stars", "stars",
"template", "template",
"user", "user",
"vendor", "vendor",
"login",
"robots.txt",
".",
"..",
".well-known",
"search",
} }
reservedUserPatterns = []string{"*.keys", "*.gpg"} reservedUserPatterns = []string{"*.keys", "*.gpg"}
) )

View File

@ -30,6 +30,15 @@ type Options struct {
Prefix string Prefix string
} }
// List of known entries inside the `public` directory
var knownEntries = []string{
"css",
"fomantic",
"img",
"js",
"vendor",
}
// Custom implements the macaron static handler for serving custom assets. // Custom implements the macaron static handler for serving custom assets.
func Custom(opts *Options) macaron.Handler { func Custom(opts *Options) macaron.Handler {
return opts.staticHandler(path.Join(setting.CustomPath, "public")) return opts.staticHandler(path.Join(setting.CustomPath, "public"))
@ -99,6 +108,19 @@ func (opts *Options) handle(ctx *macaron.Context, log *log.Logger, opt *Options)
f, err := opt.FileSystem.Open(file) f, err := opt.FileSystem.Open(file)
if err != nil { if err != nil {
// 404 requests to any known entries in `public`
if path.Base(opts.Directory) == "public" {
parts := strings.Split(file, "/")
if len(parts) < 2 {
return false
}
for _, entry := range knownEntries {
if entry == parts[1] {
ctx.Resp.WriteHeader(404)
return true
}
}
}
return false return false
} }
defer f.Close() defer f.Close()