403 for static directory listing, closes #740

simonw · Apr 27, 2020 · 89c4ddd · 89c4ddd
1 parent 25014ca
commit 89c4ddd
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 0 deletions.
diff --git a/datasette/utils/asgi.py b/datasette/utils/asgi.py
@@ -328,6 +328,9 @@ async def inner_static(scope, receive, send):
         except FileNotFoundError:
             await asgi_send_html(send, "404", 404)
             return
+        if full_path.is_dir():
+            await asgi_send_html(send, "403: Directory listing is not allowed", 403)
+            return
         # Ensure full_path is within root_path to avoid weird "../" tricks
         try:
             full_path.relative_to(root_path)

diff --git a/tests/test_config_dir.py b/tests/test_config_dir.py
@@ -114,6 +114,12 @@ def test_static(config_dir_client):
     assert "text/css" == response.headers["content-type"]
 
 
+def test_static_directory_browsing_not_allowed(config_dir_client):
+    response = config_dir_client.get("/static/")
+    assert 403 == response.status
+    assert "403: Directory listing is not allowed" == response.text
+
+
 def test_databases(config_dir_client):
     response = config_dir_client.get("/-/databases.json")
     assert 200 == response.status