Send 404 immediately for known public requests

Instead of further handling requests to `public` which causes issues
like #11088, immediately
terminate requests to directories `js`, `css`, `fomantic` if no file is
found which is checked against a hardcoded list. Maybe there is a way to
retrieve the top-level entries below `public` in a dynamic fashion.

I also added `fomantic` to the reserved usernames and sorted the list.

Fixes: #11088

models/user.go

@@ -844,23 +844,28 @@ func (u *User) IsGhost() bool {
 
 var (
  reservedUsernames = []string{
- "attachments",
+ ".",
+ "..",
+ ".well-known",
  "admin",
  "api",
  "assets",
+ "attachments",
  "avatars",
  "commits",
  "css",
  "debug",
  "error",
  "explore",
+ "fomantic",
  "ghost",
  "help",
  "img",
  "install",
  "issues",
  "js",
  "less",
+ "login",
  "manifest.json",
  "metrics",
  "milestones",
@@ -871,16 +876,12 @@ var (
  "pulls",
  "raw",
  "repo",
+ "robots.txt",
+ "search",
  "stars",
  "template",
  "user",
  "vendor",
- "login",
- "robots.txt",
- ".",
- "..",
- ".well-known",
- "search",
  }
  reservedUserPatterns = []string{"*.keys", "*.gpg"}
 )

modules/public/public.go

@@ -30,6 +30,13 @@ type Options struct {
  Prefix string
 }
 
+// List of entries inside the `public` directory
+var resourceEntries = []string{
+ "js",
+ "css",
+ "fomantic",
+}
+
 // Custom implements the macaron static handler for serving custom assets.
 func Custom(opts *Options) macaron.Handler {
  return opts.staticHandler(path.Join(setting.CustomPath, "public"))
@@ -99,6 +106,20 @@ func (opts *Options) handle(ctx *macaron.Context, log *log.Logger, opt *Options)
 
  f, err := opt.FileSystem.Open(file)
  if err != nil {
+ // 404 requests to any known entries in `public`
+ if path.Base(opts.Directory) == "public" {
+ parts := strings.Split(file, "/")
+ if len(parts) < 2 {
+ return false
+ }
+ for _, entry := range resourceEntries {
+ if entry == parts[1] {
+ ctx.Resp.WriteHeader(404)
+ ctx.Resp.Write([]byte(""))
+ return true
+ }
+ }
+ }
  return false
  }
  defer f.Close()