Send 404 immediately for known public requests (#11117)

Instead of further handling requests to public which causes issues like #11088, immediately terminate requests to directories js, css, fomantic if no file is found which is checked against a hardcoded list. Maybe there is a way to retrieve the top-level entries below public in a dynamic fashion.

I also added fomantic to the reserved usernames and sorted the list.

Fixes: #11088

1 files changed, 22 insertions, 0 deletions

diff --git a/modules/public/public.go b/modules/public/public.go
index 2617d31aea..fb8d9c1955 100644
--- a/modules/public/public.go
+++ b/modules/public/public.go
@@ -30,6 +30,15 @@ type Options struct {
 	Prefix       string
 }
 
+// List of known entries inside the `public` directory
+var knownEntries = []string{
+	"css",
+	"fomantic",
+	"img",
+	"js",
+	"vendor",
+}
+
 // Custom implements the macaron static handler for serving custom assets.
 func Custom(opts *Options) macaron.Handler {
 	return opts.staticHandler(path.Join(setting.CustomPath, "public"))
@@ -99,6 +108,19 @@ func (opts *Options) handle(ctx *macaron.Context, log *log.Logger, opt *Options)
 
 	f, err := opt.FileSystem.Open(file)
 	if err != nil {
+		// 404 requests to any known entries in `public`
+		if path.Base(opts.Directory) == "public" {
+			parts := strings.Split(file, "/")
+			if len(parts) < 2 {
+				return false
+			}
+			for _, entry := range knownEntries {
+				if entry == parts[1] {
+					ctx.Resp.WriteHeader(404)
+					return true
+				}
+			}
+		}
 		return false
 	}
 	defer f.Close()