From 7dff0209f563414ced7584120dd7070ce2044155 Mon Sep 17 00:00:00 2001
From: Thomas Leister <thomas.leister@mailbox.org>
Date: Wed, 8 Jan 2020 19:38:58 +0100
Subject: [PATCH] Fixes #14: Prevents directory listing in subdirectories

This commit prevents directory listings in every directory level,
not just on root level ("upload/").

In earlier versions, an attacker could get a list of past uploads
if he ever received a valid file download path, removed the file name and
descendet in parent directories.
---
 main.go | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/main.go b/main.go
index 991f5cc..4bd5a6e 100644
--- a/main.go
+++ b/main.go
@@ -48,7 +48,6 @@ func addCORSheaders(w http.ResponseWriter) {
 	w.Header().Set("Access-Control-Max-Age", "7200")
 }
 
-
 /*
  * Request handler
  * Is activated when a clients requests the file, file information or an upload
@@ -67,7 +66,7 @@ func handleRequest(w http.ResponseWriter, r *http.Request) {
 		log.Println("Failed to parse URL query params:", err)
 	}
 
-	fileStorePath := strings.TrimPrefix(u.Path, "/" + conf.UploadSubDir)
+	fileStorePath := strings.TrimPrefix(u.Path, "/"+conf.UploadSubDir)
 
 	// Add CORS headers
 	addCORSheaders(w)
@@ -137,7 +136,8 @@ func handleRequest(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("Content-Type", contentType)
 	} else if r.Method == "GET" {
 		contentType := mime.TypeByExtension(filepath.Ext(fileStorePath))
-		if fileStorePath == "" {
+		if f, err := os.Stat(conf.Storedir + fileStorePath); err != nil || f.IsDir() {
+			log.Println("Directory listing forbidden!")
 			http.Error(w, "403 Forbidden", 403)
 			return
 		}