Fixes #14: Prevents directory listing in subdirectories

This commit prevents directory listings in every directory level, not just on root level ("upload/"). In earlier versions, an attacker could get a list of past uploads if he ever received a valid file download path, removed the file name and descendet in parent directories.
ThomasLeister · Jan 8, 2020 · 7dff020 · 7dff020
1 parent 65ca295
commit 7dff020
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/main.go b/main.go
@@ -48,7 +48,6 @@ func addCORSheaders(w http.ResponseWriter) {
 	w.Header().Set("Access-Control-Max-Age", "7200")
 }
 
-
 /*
  * Request handler
  * Is activated when a clients requests the file, file information or an upload
@@ -67,7 +66,7 @@ func handleRequest(w http.ResponseWriter, r *http.Request) {
 		log.Println("Failed to parse URL query params:", err)
 	}
 
-	fileStorePath := strings.TrimPrefix(u.Path, "/" + conf.UploadSubDir)
+	fileStorePath := strings.TrimPrefix(u.Path, "/"+conf.UploadSubDir)
 
 	// Add CORS headers
 	addCORSheaders(w)
@@ -137,7 +136,8 @@ func handleRequest(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("Content-Type", contentType)
 	} else if r.Method == "GET" {
 		contentType := mime.TypeByExtension(filepath.Ext(fileStorePath))
-		if fileStorePath == "" {
+		if f, err := os.Stat(conf.Storedir + fileStorePath); err != nil || f.IsDir() {
+			log.Println("Directory listing forbidden!")
 			http.Error(w, "403 Forbidden", 403)
 			return
 		}