Send 404 immediately for known public requests (#11117)
Instead of further handling requests to public which causes issues like #11088, immediately terminate requests to directories js, css, fomantic if no file is found which is checked against a hardcoded list. Maybe there is a way to retrieve the top-level entries below public in a dynamic fashion. I also added fomantic to the reserved usernames and sorted the list. Fixes: #11088
This commit is contained in:
parent
6034f8bcaa
commit
5180deb819
2 changed files with 30 additions and 7 deletions
|
@ -844,16 +844,20 @@ func (u *User) IsGhost() bool {
|
|||
|
||||
var (
|
||||
reservedUsernames = []string{
|
||||
"attachments",
|
||||
".",
|
||||
"..",
|
||||
".well-known",
|
||||
"admin",
|
||||
"api",
|
||||
"assets",
|
||||
"attachments",
|
||||
"avatars",
|
||||
"commits",
|
||||
"css",
|
||||
"debug",
|
||||
"error",
|
||||
"explore",
|
||||
"fomantic",
|
||||
"ghost",
|
||||
"help",
|
||||
"img",
|
||||
|
@ -861,6 +865,7 @@ var (
|
|||
"issues",
|
||||
"js",
|
||||
"less",
|
||||
"login",
|
||||
"manifest.json",
|
||||
"metrics",
|
||||
"milestones",
|
||||
|
@ -871,16 +876,12 @@ var (
|
|||
"pulls",
|
||||
"raw",
|
||||
"repo",
|
||||
"robots.txt",
|
||||
"search",
|
||||
"stars",
|
||||
"template",
|
||||
"user",
|
||||
"vendor",
|
||||
"login",
|
||||
"robots.txt",
|
||||
".",
|
||||
"..",
|
||||
".well-known",
|
||||
"search",
|
||||
}
|
||||
reservedUserPatterns = []string{"*.keys", "*.gpg"}
|
||||
)
|
||||
|
|
|
@ -30,6 +30,15 @@ type Options struct {
|
|||
Prefix string
|
||||
}
|
||||
|
||||
// List of known entries inside the `public` directory
|
||||
var knownEntries = []string{
|
||||
"css",
|
||||
"fomantic",
|
||||
"img",
|
||||
"js",
|
||||
"vendor",
|
||||
}
|
||||
|
||||
// Custom implements the macaron static handler for serving custom assets.
|
||||
func Custom(opts *Options) macaron.Handler {
|
||||
return opts.staticHandler(path.Join(setting.CustomPath, "public"))
|
||||
|
@ -99,6 +108,19 @@ func (opts *Options) handle(ctx *macaron.Context, log *log.Logger, opt *Options)
|
|||
|
||||
f, err := opt.FileSystem.Open(file)
|
||||
if err != nil {
|
||||
// 404 requests to any known entries in `public`
|
||||
if path.Base(opts.Directory) == "public" {
|
||||
parts := strings.Split(file, "/")
|
||||
if len(parts) < 2 {
|
||||
return false
|
||||
}
|
||||
for _, entry := range knownEntries {
|
||||
if entry == parts[1] {
|
||||
ctx.Resp.WriteHeader(404)
|
||||
return true
|
||||
}
|
||||
}
|
||||
}
|
||||
return false
|
||||
}
|
||||
defer f.Close()
|
||||
|
|
Reference in a new issue