Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Send 404 immediately for known public requests #11117

Merged
merged 5 commits into from
Apr 18, 2020
Merged

Send 404 immediately for known public requests #11117

merged 5 commits into from
Apr 18, 2020

Conversation

silverwind
Copy link
Member

Instead of further handling requests to public which causes issues like #11088, immediately terminate requests to directories js, css, fomantic if no file is found which is checked against a hardcoded list. Maybe there is a way to retrieve the top-level entries below public in a dynamic fashion.

I also added fomantic to the reserved usernames and sorted the list.

Fixes: #11088

silverwind
silverwind commented Apr 17, 2020
View reviewed changes
modules/public/public.go Outdated Show resolved Hide resolved
@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Apr 17, 2020
@silverwind
Send 404 immediately for known public requests
55d922e 
Instead of further handling requests to `public` which causes issues
like go-gitea#11088, immediately
terminate requests to directories `js`, `css`, `fomantic` if no file is
found which is checked against a hardcoded list. Maybe there is a way to
retrieve the top-level entries below `public` in a dynamic fashion.

I also added `fomantic` to the reserved usernames and sorted the list.

Fixes: go-gitea#11088
silverwind
silverwind commented Apr 18, 2020
View reviewed changes
modules/public/public.go
@@ -99,6 +106,19 @@ func (opts *Options) handle(ctx *macaron.Context, log *log.Logger, opt *Options)

f, err := opt.FileSystem.Open(file)
if err != nil {
// 404 requests to any known entries in `public`
if path.Base(opts.Directory) == "public" {
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This condition seems to be needed because this handler is hit twice on every request, first with opts.Directory set to "" and then with an actual path ending in /public, not sure why.

@lunny lunny added the type/bug label Apr 18, 2020
@techknowlogick techknowlogick added this to the 1.12.0 milestone Apr 18, 2020
@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Apr 18, 2020
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Apr 18, 2020
@codecov-io
Copy link

Codecov Report

Merging #11117 into master will decrease coverage by 0.01%.
The diff coverage is 36.36%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master   #11117      +/-   ##
==========================================
- Coverage   43.44%   43.43%   -0.02%     
==========================================
  Files         600      600              
  Lines       85008    85018      +10     
==========================================
- Hits        36934    36926       -8     
- Misses      43520    43533      +13     
- Partials     4554     4559       +5
Impacted Files Coverage Δ
models/user.go 49.66% <ø> (ø)
modules/public/public.go 69.79% <36.36%> (-4.63%) ⬇️
services/pull/check.go 52.43% <0.00%> (-3.05%) ⬇️
modules/git/command.go 86.95% <0.00%> (-2.61%) ⬇️
modules/queue/unique_queue_disk_channel.go 53.84% <0.00%> (-1.93%) ⬇️
modules/notification/webhook/webhook.go 39.61% <0.00%> (-0.59%) ⬇️
models/issue.go 51.48% <0.00%> (-0.47%) ⬇️
services/pull/pull.go 33.20% <0.00%> (-0.20%) ⬇️
modules/git/repo.go 51.88% <0.00%> (+0.83%) ⬆️
modules/git/utils.go 70.14% <0.00%> (+4.47%) ⬆️
... and 2 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 6034f8b...3765761. Read the comment docs.

@zeripath zeripath merged commit 5180deb into go-gitea:master Apr 18, 2020
@silverwind silverwind deleted the redirect branch April 19, 2020 22:29
ydelafollye pushed a commit to ydelafollye/gitea that referenced this pull request Jul 31, 2020
@silverwind
Send 404 immediately for known public requests (go-gitea#11117)
9557588 
Instead of further handling requests to public which causes issues like go-gitea#11088, immediately terminate requests to directories js, css, fomantic if no file is found which is checked against a hardcoded list. Maybe there is a way to retrieve the top-level entries below public in a dynamic fashion.

I also added fomantic to the reserved usernames and sorted the list.

Fixes: go-gitea#11088
@go-gitea go-gitea locked and limited conversation to collaborators Nov 24, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@guillep2k guillep2k guillep2k approved these changes

@gary-kim gary-kim gary-kim approved these changes

Assignees
No one assigned
Labels
lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. type/bug
Projects
None yet
Milestone
1.12.0
Development

Successfully merging this pull request may close these issues.

public resources should not set redirect_to cookie
8 participants
@silverwind @codecov-io @guillep2k @gary-kim @lunny @techknowlogick @zeripath @GiteaBot