Browse Source
Send 404 immediately for known public requests (#11117)
Instead of further handling requests to public which causes issues like #11088, immediately terminate requests to directories js, css, fomantic if no file is found which is checked against a hardcoded list. Maybe there is a way to retrieve the top-level entries below public in a dynamic fashion. I also added fomantic to the reserved usernames and sorted the list. Fixes: #11088tags/v1.13.0-dev
silverwind
GitHub
5 years ago
2 changed files with 30 additions and 7 deletions
Unified View
Diff Options
-
+8 -7models/user.go
-
+22 -0modules/public/public.go
+ 8
- 7
models/user.go
View File
| @@ -844,16 +844,20 @@ func (u *User) IsGhost() bool { | |||||
| var ( | var ( | ||||
| reservedUsernames = []string{ | reservedUsernames = []string{ | ||||
| "attachments", | |||||
| ".", | |||||
| "..", | |||||
| ".well-known", | |||||
| "admin", | "admin", | ||||
| "api", | "api", | ||||
| "assets", | "assets", | ||||
| "attachments", | |||||
| "avatars", | "avatars", | ||||
| "commits", | "commits", | ||||
| "css", | "css", | ||||
| "debug", | "debug", | ||||
| "error", | "error", | ||||
| "explore", | "explore", | ||||
| "fomantic", | |||||
| "ghost", | "ghost", | ||||
| "help", | "help", | ||||
| "img", | "img", | ||||
| @@ -861,6 +865,7 @@ var ( | |||||
| "issues", | "issues", | ||||
| "js", | "js", | ||||
| "less", | "less", | ||||
| "login", | |||||
| "manifest.json", | "manifest.json", | ||||
| "metrics", | "metrics", | ||||
| "milestones", | "milestones", | ||||
| @@ -871,16 +876,12 @@ var ( | |||||
| "pulls", | "pulls", | ||||
| "raw", | "raw", | ||||
| "repo", | "repo", | ||||
| "robots.txt", | |||||
| "search", | |||||
| "stars", | "stars", | ||||
| "template", | "template", | ||||
| "user", | "user", | ||||
| "vendor", | "vendor", | ||||
| "login", | |||||
| "robots.txt", | |||||
| ".", | |||||
| "..", | |||||
| ".well-known", | |||||
| "search", | |||||
| } | } | ||||
| reservedUserPatterns = []string{"*.keys", "*.gpg"} | reservedUserPatterns = []string{"*.keys", "*.gpg"} | ||||
| ) | ) | ||||
+ 22
- 0
modules/public/public.go
View File
| @@ -30,6 +30,15 @@ type Options struct { | |||||
| Prefix string | Prefix string | ||||
| } | } | ||||
| // List of known entries inside the `public` directory | |||||
| var knownEntries = []string{ | |||||
| "css", | |||||
| "fomantic", | |||||
| "img", | |||||
| "js", | |||||
| "vendor", | |||||
| } | |||||
| // Custom implements the macaron static handler for serving custom assets. | // Custom implements the macaron static handler for serving custom assets. | ||||
| func Custom(opts *Options) macaron.Handler { | func Custom(opts *Options) macaron.Handler { | ||||
| return opts.staticHandler(path.Join(setting.CustomPath, "public")) | return opts.staticHandler(path.Join(setting.CustomPath, "public")) | ||||
| @@ -99,6 +108,19 @@ func (opts *Options) handle(ctx *macaron.Context, log *log.Logger, opt *Options) | |||||
| f, err := opt.FileSystem.Open(file) | f, err := opt.FileSystem.Open(file) | ||||
| if err != nil { | if err != nil { | ||||
| // 404 requests to any known entries in `public` | |||||
| if path.Base(opts.Directory) == "public" { | |||||
| parts := strings.Split(file, "/") | |||||
| if len(parts) < 2 { | |||||
| return false | |||||
| } | |||||
| for _, entry := range knownEntries { | |||||
| if entry == parts[1] { | |||||
| ctx.Resp.WriteHeader(404) | |||||
| return true | |||||
| } | |||||
| } | |||||
| } | |||||
| return false | return false | ||||
| } | } | ||||
| defer f.Close() | defer f.Close() | ||||