From dea781af983f0150a13d09d7a943983cef2d3926 Mon Sep 17 00:00:00 2001
From: nl6720 <nl6720@gmail.com>
Date: Mon, 27 Jun 2022 10:36:22 +0300
Subject: [PATCH] archweb: use a whitelist for files in /iso/

Allow only .sig, .torrent and .txt.

This is done to prevent downloading files such as https://archlinux.org/iso/latest/arch/boot/x86_64/vmlinuz-linux.
---
 roles/archweb/templates/nginx.d.conf.j2 | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/roles/archweb/templates/nginx.d.conf.j2 b/roles/archweb/templates/nginx.d.conf.j2
index c7b9f8325..2fa0779a1 100644
--- a/roles/archweb/templates/nginx.d.conf.j2
+++ b/roles/archweb/templates/nginx.d.conf.j2
@@ -151,12 +151,14 @@ server {
         alias {{ archweb_dir }}/archlinux.org/logos/;
     }
 
-    location ~ ^/iso/(.*\.(iso|img|tar\.gz|sfs)$) {
-        deny all;
-    }
-
     location /iso/ {
         alias {{ archweb_rsync_iso_dir }};
+
+        location ~ ^/iso/.*\.(sig|torrent|txt)$ {
+        }
+        location /iso/ {
+            deny all;
+        }
     }
 
     # Cache django's css, js and png files.
-- 
GitLab