From 55d922edd9eadecae3fafabaafb15fe51c57289a Mon Sep 17 00:00:00 2001 From: silverwind Date: Sat, 18 Apr 2020 01:24:32 +0200 Subject: [PATCH 1/4] Send 404 immediately for known public requests Instead of further handling requests to `public` which causes issues like https://github.com/go-gitea/gitea/issues/11088, immediately terminate requests to directories `js`, `css`, `fomantic` if no file is found which is checked against a hardcoded list. Maybe there is a way to retrieve the top-level entries below `public` in a dynamic fashion. I also added `fomantic` to the reserved usernames and sorted the list. Fixes: https://github.com/go-gitea/gitea/issues/11088 --- models/user.go | 15 ++++++++------- modules/public/public.go | 21 +++++++++++++++++++++ 2 files changed, 29 insertions(+), 7 deletions(-) diff --git a/models/user.go b/models/user.go index 06f11c968c9a..50635273bdf3 100644 --- a/models/user.go +++ b/models/user.go @@ -844,16 +844,20 @@ func (u *User) IsGhost() bool { var ( reservedUsernames = []string{ - "attachments", + ".", + "..", + ".well-known", "admin", "api", "assets", + "attachments", "avatars", "commits", "css", "debug", "error", "explore", + "fomantic", "ghost", "help", "img", @@ -861,6 +865,7 @@ var ( "issues", "js", "less", + "login", "manifest.json", "metrics", "milestones", @@ -871,16 +876,12 @@ var ( "pulls", "raw", "repo", + "robots.txt", + "search", "stars", "template", "user", "vendor", - "login", - "robots.txt", - ".", - "..", - ".well-known", - "search", } reservedUserPatterns = []string{"*.keys", "*.gpg"} ) diff --git a/modules/public/public.go b/modules/public/public.go index 2617d31aea58..9f824f715a5c 100644 --- a/modules/public/public.go +++ b/modules/public/public.go @@ -30,6 +30,13 @@ type Options struct { Prefix string } +// List of entries inside the `public` directory +var resourceEntries = []string{ + "js", + "css", + "fomantic", +} + // Custom implements the macaron static handler for serving custom assets. func Custom(opts *Options) macaron.Handler { return opts.staticHandler(path.Join(setting.CustomPath, "public")) @@ -99,6 +106,20 @@ func (opts *Options) handle(ctx *macaron.Context, log *log.Logger, opt *Options) f, err := opt.FileSystem.Open(file) if err != nil { + // 404 requests to any known entries in `public` + if path.Base(opts.Directory) == "public" { + parts := strings.Split(file, "/") + if len(parts) < 2 { + return false + } + for _, entry := range resourceEntries { + if entry == parts[1] { + ctx.Resp.WriteHeader(404) + ctx.Resp.Write([]byte("")) + return true + } + } + } return false } defer f.Close() From eb554ef0b3a97cf3cebc4cefceaf26d236e84d53 Mon Sep 17 00:00:00 2001 From: silverwind Date: Sat, 18 Apr 2020 01:48:39 +0200 Subject: [PATCH 2/4] remove ctx.Resp.Write --- modules/public/public.go | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/public/public.go b/modules/public/public.go index 9f824f715a5c..2b4224f7c800 100644 --- a/modules/public/public.go +++ b/modules/public/public.go @@ -115,7 +115,6 @@ func (opts *Options) handle(ctx *macaron.Context, log *log.Logger, opt *Options) for _, entry := range resourceEntries { if entry == parts[1] { ctx.Resp.WriteHeader(404) - ctx.Resp.Write([]byte("")) return true } } From 13ed26aa236e8317740c24fd513e379b657f4c40 Mon Sep 17 00:00:00 2001 From: silverwind Date: Sat, 18 Apr 2020 01:49:54 +0200 Subject: [PATCH 3/4] rename variable --- modules/public/public.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/public/public.go b/modules/public/public.go index 2b4224f7c800..3881450e4c40 100644 --- a/modules/public/public.go +++ b/modules/public/public.go @@ -30,8 +30,8 @@ type Options struct { Prefix string } -// List of entries inside the `public` directory -var resourceEntries = []string{ +// List of known entries inside the `public` directory +var knownEntries = []string{ "js", "css", "fomantic", @@ -112,7 +112,7 @@ func (opts *Options) handle(ctx *macaron.Context, log *log.Logger, opt *Options) if len(parts) < 2 { return false } - for _, entry := range resourceEntries { + for _, entry := range knownEntries { if entry == parts[1] { ctx.Resp.WriteHeader(404) return true From 451f8c30ea98e65e84b737997d908c02a8cfc357 Mon Sep 17 00:00:00 2001 From: silverwind Date: Sat, 18 Apr 2020 07:59:22 +0200 Subject: [PATCH 4/4] add img and vendor to knownEntries --- modules/public/public.go | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/modules/public/public.go b/modules/public/public.go index 3881450e4c40..fb8d9c1955f9 100644 --- a/modules/public/public.go +++ b/modules/public/public.go @@ -32,9 +32,11 @@ type Options struct { // List of known entries inside the `public` directory var knownEntries = []string{ - "js", "css", "fomantic", + "img", + "js", + "vendor", } // Custom implements the macaron static handler for serving custom assets.