1 year ago · 9906caefd5
--- a/internal/httpd/httpd.go
+++ b/internal/httpd/httpd.go
@@ -1047,7 +1047,7 @@ func getServicesStatus() *ServicesStatus {
 
				 	return status
			
 
				 }
			
 
				 
			
 
				-func fileServer(r chi.Router, path string, root http.FileSystem) {
			
 
				+func fileServer(r chi.Router, path string, root http.FileSystem, disableDirectoryIndex bool) {
			
 
				 	if path != "/" && path[len(path)-1] != '/' {
			
 
				 		r.Get(path, http.RedirectHandler(path+"/", http.StatusMovedPermanently).ServeHTTP)
			
 
				 		path += "/"
			
@@ -1057,7 +1057,11 @@ func fileServer(r chi.Router, path string, root http.FileSystem) {
 
				 	r.Get(path, func(w http.ResponseWriter, r *http.Request) {
			
 
				 		rctx := chi.RouteContext(r.Context())
			
 
				 		pathPrefix := strings.TrimSuffix(rctx.RoutePattern(), "/*")
			
 
				-		fs := http.StripPrefix(pathPrefix, http.FileServer(root))
			
 
				+		handler := http.FileServer(root)
			
 
				+		if disableDirectoryIndex {
			
 
				+			handler = neuter(handler)
			
 
				+		}
			
 
				+		fs := http.StripPrefix(pathPrefix, handler)
			
 
				 		fs.ServeHTTP(w, r)
			
 
				 	})
			
 
				 }
			
--- a/internal/httpd/httpd_test.go
+++ b/internal/httpd/httpd_test.go
@@ -24269,7 +24269,7 @@ func TestStaticFilesMock(t *testing.T) {
 
				 	req, err = http.NewRequest(http.MethodGet, location, nil)
			
 
				 	assert.NoError(t, err)
			
 
				 	rr = executeRequest(req)
			
 
				-	checkResponseCode(t, http.StatusOK, rr)
			
 
				+	checkResponseCode(t, http.StatusForbidden, rr)
			
 
				 
			
 
				 	req, err = http.NewRequest(http.MethodGet, "/openapi", nil)
			
 
				 	assert.NoError(t, err)
			
--- a/internal/httpd/middleware.go
+++ b/internal/httpd/middleware.go
@@ -386,7 +386,7 @@ func checkAPIKeyAuth(tokenAuth *jwtauth.JWTAuth, scope dataprovider.APIKeyScope)
 
				 			}
			
 
				 			if k.Scope != scope {
			
 
				 				handleDefenderEventLoginFailed(util.GetIPFromRemoteAddress(r.RemoteAddr), dataprovider.ErrInvalidCredentials) //nolint:errcheck
			
 
				-				logger.Debug(logSender, "", "unable to authenticate api key %q: invalid scope: got %d, wnated: %d",
			
 
				+				logger.Debug(logSender, "", "unable to authenticate api key %q: invalid scope: got %d, wanted: %d",
			
 
				 					apiKey, k.Scope, scope)
			
 
				 				sendAPIResponse(w, r, fmt.Errorf("the provided api key is invalid for this request"), "", http.StatusForbidden)
			
 
				 				return
			
@@ -553,3 +553,14 @@ func checkPartialAuth(w http.ResponseWriter, r *http.Request, audience string, t
 
				 	}
			
 
				 	return nil
			
 
				 }
			
 
				+
			
 
				+func neuter(next http.Handler) http.Handler {
			
 
				+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
			
 
				+		if strings.HasSuffix(r.URL.Path, "/") {
			
 
				+			http.Error(w, http.StatusText(http.StatusForbidden), http.StatusForbidden)
			
 
				+			return
			
 
				+		}
			
 
				+
			
 
				+		next.ServeHTTP(w, r)
			
 
				+	})
			
 
				+}
			
--- a/internal/httpd/resources.go
+++ b/internal/httpd/resources.go
@@ -23,6 +23,6 @@ import (
 
				 	"github.com/go-chi/chi/v5"
			
 
				 )
			
 
				 
			
 
				-func serveStaticDir(router chi.Router, path, fsDirPath string) {
			
 
				-	fileServer(router, path, http.Dir(fsDirPath))
			
 
				+func serveStaticDir(router chi.Router, path, fsDirPath string, disableDirectoryIndex bool) {
			
 
				+	fileServer(router, path, http.Dir(fsDirPath), disableDirectoryIndex)
			
 
				 }
			
--- a/internal/httpd/resources_embedded.go
+++ b/internal/httpd/resources_embedded.go
@@ -18,16 +18,20 @@
 
				 package httpd
			
 
				 
			
 
				 import (
			
 
				+	"net/http"
			
 
				+
			
 
				 	"github.com/go-chi/chi/v5"
			
 
				 
			
 
				 	"github.com/drakkan/sftpgo/v2/internal/bundle"
			
 
				 )
			
 
				 
			
 
				-func serveStaticDir(router chi.Router, path, _ string) {
			
 
				+func serveStaticDir(router chi.Router, path, fsDirPath string, disableDirectoryIndex bool) {
			
 
				 	switch path {
			
 
				 	case webStaticFilesPath:
			
 
				-		fileServer(router, path, bundle.GetStaticFs())
			
 
				+		fileServer(router, path, bundle.GetStaticFs(), disableDirectoryIndex)
			
 
				 	case webOpenAPIPath:
			
 
				-		fileServer(router, path, bundle.GetOpenAPIFs())
			
 
				+		fileServer(router, path, bundle.GetOpenAPIFs(), disableDirectoryIndex)
			
 
				+	default:
			
 
				+		fileServer(router, path, http.Dir(fsDirPath), disableDirectoryIndex)
			
 
				 	}
			
 
				 }
			
--- a/internal/httpd/server.go
+++ b/internal/httpd/server.go
@@ -1237,7 +1237,7 @@ func (s *httpdServer) initializeRouter() {
 
				 
			
 
				 	if hasHTTPSRedirect {
			
 
				 		if p := acme.GetHTTP01WebRoot(); p != "" {
			
 
				-			serveStaticDir(s.router, acmeChallengeURI, p)
			
 
				+			serveStaticDir(s.router, acmeChallengeURI, p, true)
			
 
				 		}
			
 
				 	}
			
 
				 
			
@@ -1434,7 +1434,7 @@ func (s *httpdServer) initializeRouter() {
 
				 		if s.renderOpenAPI {
			
 
				 			s.router.Group(func(router chi.Router) {
			
 
				 				router.Use(compressor.Handler)
			
 
				-				serveStaticDir(router, webOpenAPIPath, s.openAPIPath)
			
 
				+				serveStaticDir(router, webOpenAPIPath, s.openAPIPath, false)
			
 
				 			})
			
 
				 		}
			
 
				 	}
			
@@ -1442,7 +1442,7 @@ func (s *httpdServer) initializeRouter() {
 
				 	if s.enableWebAdmin || s.enableWebClient {
			
 
				 		s.router.Group(func(router chi.Router) {
			
 
				 			router.Use(compressor.Handler)
			
 
				-			serveStaticDir(router, webStaticFilesPath, s.staticFilesPath)
			
 
				+			serveStaticDir(router, webStaticFilesPath, s.staticFilesPath, true)
			
 
				 		})
			
 
				 		if s.binding.OIDC.isEnabled() {
			
 
				 			s.router.Get(webOIDCRedirectPath, s.handleOIDCRedirect)