From 9054a5db4c2d62ef1f84f8af6d6b0a7a49b42880 Mon Sep 17 00:00:00 2001
From: Felix Delattre <github@xama.nu>
Date: Sat, 7 Jul 2018 02:01:32 +0200
Subject: [PATCH] Avoid serving overview of main directory

---
 main.go      |  4 ++++
 main_test.go | 23 +++++++++++++++++++++++
 2 files changed, 27 insertions(+)

diff --git a/main.go b/main.go
index b94258a..bc017fd 100644
--- a/main.go
+++ b/main.go
@@ -122,6 +122,10 @@ func handleRequest(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("Content-Type", contentType)
 	} else if r.Method == "GET" {
 		contentType := mime.TypeByExtension(filepath.Ext(fileStorePath))
+		if fileStorePath == "" {
+			http.Error(w, "403 Forbidden", 403)
+			return
+		}
 		if contentType == "" {
 			contentType = "application/octet-stream"
 		}
diff --git a/main_test.go b/main_test.go
index 9ccb619..140870c 100644
--- a/main_test.go
+++ b/main_test.go
@@ -183,3 +183,26 @@ func TestDownloadGet(t *testing.T) {
 		t.Errorf("handler returned wrong status code: got %v want %v. HTTP body: %s", status, http.StatusOK, rr.Body.String())
 	}
 }
+
+func TestEmptyGet(t *testing.T) {
+	// Set config
+	readConfig("config.toml", &conf)
+
+	// Create request
+	req, err := http.NewRequest("GET", "", nil)
+
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	rr := httptest.NewRecorder()
+	handler := http.HandlerFunc(handleRequest)
+
+	// Send request and record response
+	handler.ServeHTTP(rr, req)
+
+	// Check status code
+	if status := rr.Code; status != http.StatusForbidden {
+		t.Errorf("handler returned wrong status code: got %v want %v. HTTP body: %s", status, http.StatusForbidden, rr.Body.String())
+	}
+}