From 070ad34c7595e777fb142a97bce5eb8da3b08511 Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu, 10 Jul 2025 15:06:29 +0000
Subject: [PATCH] api: packages: Prevent files from being downloaded that are
 not downloadable

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 src/api/packages.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/api/packages.py b/src/api/packages.py
index 456a4d3b..e18ca055 100644
--- a/src/api/packages.py
+++ b/src/api/packages.py
@@ -109,7 +109,9 @@ async def download_file(
 	if not file:
 		raise fastapi.HTTPException(404, "Could not find file %s in %s" % (path, package))
 
-	# XXX Check if this is actually downloadable
+	# Check if this is actually downloadable
+	if not file.is_downloadable():
+		raise fastapi.HTTPException(400, "File is not downloadable")
 
 	return fastapi.responses.StreamingResponse(file.stream(), headers=file.headers)
 
-- 
2.47.2