Send 404 immediately for known public requests (#11117)
Instead of further handling requests to public which causes issues like #11088, immediately terminate requests to directories js, css, fomantic if no file is found which is checked against a hardcoded list. Maybe there is a way to retrieve the top-level entries below public in a dynamic fashion. I also added fomantic to the reserved usernames and sorted the list. Fixes: #11088
This commit is contained in:
parent
6034f8bcaa
commit
5180deb819
2 changed files with 30 additions and 7 deletions
|
@ -844,16 +844,20 @@ func (u *User) IsGhost() bool {
|
||||||
|
|
||||||
var (
|
var (
|
||||||
reservedUsernames = []string{
|
reservedUsernames = []string{
|
||||||
"attachments",
|
".",
|
||||||
|
"..",
|
||||||
|
".well-known",
|
||||||
"admin",
|
"admin",
|
||||||
"api",
|
"api",
|
||||||
"assets",
|
"assets",
|
||||||
|
"attachments",
|
||||||
"avatars",
|
"avatars",
|
||||||
"commits",
|
"commits",
|
||||||
"css",
|
"css",
|
||||||
"debug",
|
"debug",
|
||||||
"error",
|
"error",
|
||||||
"explore",
|
"explore",
|
||||||
|
"fomantic",
|
||||||
"ghost",
|
"ghost",
|
||||||
"help",
|
"help",
|
||||||
"img",
|
"img",
|
||||||
|
@ -861,6 +865,7 @@ var (
|
||||||
"issues",
|
"issues",
|
||||||
"js",
|
"js",
|
||||||
"less",
|
"less",
|
||||||
|
"login",
|
||||||
"manifest.json",
|
"manifest.json",
|
||||||
"metrics",
|
"metrics",
|
||||||
"milestones",
|
"milestones",
|
||||||
|
@ -871,16 +876,12 @@ var (
|
||||||
"pulls",
|
"pulls",
|
||||||
"raw",
|
"raw",
|
||||||
"repo",
|
"repo",
|
||||||
|
"robots.txt",
|
||||||
|
"search",
|
||||||
"stars",
|
"stars",
|
||||||
"template",
|
"template",
|
||||||
"user",
|
"user",
|
||||||
"vendor",
|
"vendor",
|
||||||
"login",
|
|
||||||
"robots.txt",
|
|
||||||
".",
|
|
||||||
"..",
|
|
||||||
".well-known",
|
|
||||||
"search",
|
|
||||||
}
|
}
|
||||||
reservedUserPatterns = []string{"*.keys", "*.gpg"}
|
reservedUserPatterns = []string{"*.keys", "*.gpg"}
|
||||||
)
|
)
|
||||||
|
|
|
@ -30,6 +30,15 @@ type Options struct {
|
||||||
Prefix string
|
Prefix string
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// List of known entries inside the `public` directory
|
||||||
|
var knownEntries = []string{
|
||||||
|
"css",
|
||||||
|
"fomantic",
|
||||||
|
"img",
|
||||||
|
"js",
|
||||||
|
"vendor",
|
||||||
|
}
|
||||||
|
|
||||||
// Custom implements the macaron static handler for serving custom assets.
|
// Custom implements the macaron static handler for serving custom assets.
|
||||||
func Custom(opts *Options) macaron.Handler {
|
func Custom(opts *Options) macaron.Handler {
|
||||||
return opts.staticHandler(path.Join(setting.CustomPath, "public"))
|
return opts.staticHandler(path.Join(setting.CustomPath, "public"))
|
||||||
|
@ -99,6 +108,19 @@ func (opts *Options) handle(ctx *macaron.Context, log *log.Logger, opt *Options)
|
||||||
|
|
||||||
f, err := opt.FileSystem.Open(file)
|
f, err := opt.FileSystem.Open(file)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
// 404 requests to any known entries in `public`
|
||||||
|
if path.Base(opts.Directory) == "public" {
|
||||||
|
parts := strings.Split(file, "/")
|
||||||
|
if len(parts) < 2 {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
for _, entry := range knownEntries {
|
||||||
|
if entry == parts[1] {
|
||||||
|
ctx.Resp.WriteHeader(404)
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
defer f.Close()
|
defer f.Close()
|
||||||
|
|
Reference in a new issue