From: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu, 10 Jul 2025 15:06:29 +0000 (+0000)
Subject: api: packages: Prevent files from being downloaded that are not downloadable
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=070ad34c7595e777fb142a97bce5eb8da3b08511;p=pbs.git

api: packages: Prevent files from being downloaded that are not downloadable

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/src/api/packages.py b/src/api/packages.py
index 456a4d3b..e18ca055 100644
--- a/src/api/packages.py
+++ b/src/api/packages.py
@@ -109,7 +109,9 @@ async def download_file(
 	if not file:
 		raise fastapi.HTTPException(404, "Could not find file %s in %s" % (path, package))
 
-	# XXX Check if this is actually downloadable
+	# Check if this is actually downloadable
+	if not file.is_downloadable():
+		raise fastapi.HTTPException(400, "File is not downloadable")
 
 	return fastapi.responses.StreamingResponse(file.stream(), headers=file.headers)