summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorsilverwind <me@silverwind.io>2020-04-18 23:01:06 +0200
committerGitHub <noreply@github.com>2020-04-18 22:01:06 +0100
commit5180deb8199b851384c60fac5b78aac3c9b50a67 (patch)
treecf8b1abb471d9daf4798efb13bb637b83e72eccf
parent6034f8bcaaa5348fee775d2307ff03162130a088 (diff)
downloadgitea-5180deb8199b851384c60fac5b78aac3c9b50a67.tar.gz
gitea-5180deb8199b851384c60fac5b78aac3c9b50a67.zip
Send 404 immediately for known public requests (#11117)
Instead of further handling requests to public which causes issues like #11088, immediately terminate requests to directories js, css, fomantic if no file is found which is checked against a hardcoded list. Maybe there is a way to retrieve the top-level entries below public in a dynamic fashion. I also added fomantic to the reserved usernames and sorted the list. Fixes: #11088
-rw-r--r--models/user.go15
-rw-r--r--modules/public/public.go22
2 files changed, 30 insertions, 7 deletions
diff --git a/models/user.go b/models/user.go
index 06f11c968c..50635273bd 100644
--- a/models/user.go
+++ b/models/user.go
@@ -844,16 +844,20 @@ func (u *User) IsGhost() bool {
var (
reservedUsernames = []string{
- "attachments",
+ ".",
+ "..",
+ ".well-known",
"admin",
"api",
"assets",
+ "attachments",
"avatars",
"commits",
"css",
"debug",
"error",
"explore",
+ "fomantic",
"ghost",
"help",
"img",
@@ -861,6 +865,7 @@ var (
"issues",
"js",
"less",
+ "login",
"manifest.json",
"metrics",
"milestones",
@@ -871,16 +876,12 @@ var (
"pulls",
"raw",
"repo",
+ "robots.txt",
+ "search",
"stars",
"template",
"user",
"vendor",
- "login",
- "robots.txt",
- ".",
- "..",
- ".well-known",
- "search",
}
reservedUserPatterns = []string{"*.keys", "*.gpg"}
)
diff --git a/modules/public/public.go b/modules/public/public.go
index 2617d31aea..fb8d9c1955 100644
--- a/modules/public/public.go
+++ b/modules/public/public.go
@@ -30,6 +30,15 @@ type Options struct {
Prefix string
}
+// List of known entries inside the `public` directory
+var knownEntries = []string{
+ "css",
+ "fomantic",
+ "img",
+ "js",
+ "vendor",
+}
+
// Custom implements the macaron static handler for serving custom assets.
func Custom(opts *Options) macaron.Handler {
return opts.staticHandler(path.Join(setting.CustomPath, "public"))
@@ -99,6 +108,19 @@ func (opts *Options) handle(ctx *macaron.Context, log *log.Logger, opt *Options)
f, err := opt.FileSystem.Open(file)
if err != nil {
+ // 404 requests to any known entries in `public`
+ if path.Base(opts.Directory) == "public" {
+ parts := strings.Split(file, "/")
+ if len(parts) < 2 {
+ return false
+ }
+ for _, entry := range knownEntries {
+ if entry == parts[1] {
+ ctx.Resp.WriteHeader(404)
+ return true
+ }
+ }
+ }
return false
}
defer f.Close()