aboutsummaryrefslogtreecommitdiffstats
path: root/modules/public/public.go
diff options
context:
space:
mode:
authorsilverwind <me@silverwind.io>2020-04-18 23:01:06 +0200
committerGitHub <noreply@github.com>2020-04-18 22:01:06 +0100
commit5180deb8199b851384c60fac5b78aac3c9b50a67 (patch)
treecf8b1abb471d9daf4798efb13bb637b83e72eccf /modules/public/public.go
parent6034f8bcaaa5348fee775d2307ff03162130a088 (diff)
downloadgitea-5180deb8199b851384c60fac5b78aac3c9b50a67.tar.gz
gitea-5180deb8199b851384c60fac5b78aac3c9b50a67.zip
Send 404 immediately for known public requests (#11117)
Instead of further handling requests to public which causes issues like #11088, immediately terminate requests to directories js, css, fomantic if no file is found which is checked against a hardcoded list. Maybe there is a way to retrieve the top-level entries below public in a dynamic fashion. I also added fomantic to the reserved usernames and sorted the list. Fixes: #11088
Diffstat (limited to 'modules/public/public.go')
-rw-r--r--modules/public/public.go22
1 files changed, 22 insertions, 0 deletions
diff --git a/modules/public/public.go b/modules/public/public.go
index 2617d31aea..fb8d9c1955 100644
--- a/modules/public/public.go
+++ b/modules/public/public.go
@@ -30,6 +30,15 @@ type Options struct {
Prefix string
}
+// List of known entries inside the `public` directory
+var knownEntries = []string{
+ "css",
+ "fomantic",
+ "img",
+ "js",
+ "vendor",
+}
+
// Custom implements the macaron static handler for serving custom assets.
func Custom(opts *Options) macaron.Handler {
return opts.staticHandler(path.Join(setting.CustomPath, "public"))
@@ -99,6 +108,19 @@ func (opts *Options) handle(ctx *macaron.Context, log *log.Logger, opt *Options)
f, err := opt.FileSystem.Open(file)
if err != nil {
+ // 404 requests to any known entries in `public`
+ if path.Base(opts.Directory) == "public" {
+ parts := strings.Split(file, "/")
+ if len(parts) < 2 {
+ return false
+ }
+ for _, entry := range knownEntries {
+ if entry == parts[1] {
+ ctx.Resp.WriteHeader(404)
+ return true
+ }
+ }
+ }
return false
}
defer f.Close()