api: packages: Prevent files from being downloaded that are not downloadable

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/src/api/packages.py b/src/api/packages.py
index 456a4d3b2cc50e28ea501e02d69ea79d059f5286..e18ca055e5872d3f6bea28406f60cee6050206be 100644 (file)
--- a/src/api/packages.py
+++ b/src/api/packages.py
@@ -109,7 +109,9 @@ async def download_file(
        if not file:
                raise fastapi.HTTPException(404, "Could not find file %s in %s" % (path, package))
 
-       # XXX Check if this is actually downloadable
+       # Check if this is actually downloadable
+       if not file.is_downloadable():
+               raise fastapi.HTTPException(400, "File is not downloadable")
 
        return fastapi.responses.StreamingResponse(file.stream(), headers=file.headers)