Send 404 immediately for known public requests (#11117)

Instead of further handling requests to public which causes issues like #11088, immediately terminate requests to directories js, css, fomantic if no file is found which is checked against a hardcoded list. Maybe there is a way to retrieve the top-level entries below public in a dynamic fashion. I also added fomantic to the reserved usernames and sorted the list. Fixes: #11088
2020-04-18 23:01:06 +02:00 · 2020-04-18 23:01:06 +02:00 · 5180deb819
commit 5180deb819
parent 6034f8bcaa
2 changed files with 30 additions and 7 deletions
--- a/modules/public/public.go
+++ b/modules/public/public.go
@ -30,6 +30,15 @@ type Options struct {
 	Prefix       string
 }

+// List of known entries inside the `public` directory
+var knownEntries = []string{
+	"css",
+	"fomantic",
+	"img",
+	"js",
+	"vendor",
+}
+
 // Custom implements the macaron static handler for serving custom assets.
 func Custom(opts *Options) macaron.Handler {
 	return opts.staticHandler(path.Join(setting.CustomPath, "public"))
@ -99,6 +108,19 @@ func (opts *Options) handle(ctx *macaron.Context, log *log.Logger, opt *Options)

 	f, err := opt.FileSystem.Open(file)
 	if err != nil {
+		// 404 requests to any known entries in `public`
+		if path.Base(opts.Directory) == "public" {
+			parts := strings.Split(file, "/")
+			if len(parts) < 2 {
+				return false
+			}
+			for _, entry := range knownEntries {
+				if entry == parts[1] {
+					ctx.Resp.WriteHeader(404)
+					return true
+				}
+			}
+		}
 		return false
 	}
 	defer f.Close()