github/datasette
1
0
Fork 0
mirror of https://github.com/simonw/datasette.git synced 2025-12-10 16:51:24 +01:00
Code Issues Projects Releases Packages Wiki Activity

403 for static directory listing, closes #740

Browse source
This commit is contained in:
Simon Willison 2020-04-27 11:29:04 -07:00
commit 89c4ddd482
2 changed files with 9 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

3
datasette/utils/asgi.py
View file

@ -328,6 +328,9 @@ def asgi_static(root_path, chunk_size=4096, headers=None, content_type=None):
except FileNotFoundError:
await asgi_send_html(send, "404", 404)
return
if full_path.is_dir():
await asgi_send_html(send, "403: Directory listing is not allowed", 403)
return
# Ensure full_path is within root_path to avoid weird "../" tricks
try:
full_path.relative_to(root_path)

6
tests/test_config_dir.py
View file

@ -114,6 +114,12 @@ def test_static(config_dir_client):
assert "text/css" == response.headers["content-type"]
def test_static_directory_browsing_not_allowed(config_dir_client):
response = config_dir_client.get("/static/")
assert 403 == response.status
assert "403: Directory listing is not allowed" == response.text
def test_databases(config_dir_client):
response = config_dir_client.get("/-/databases.json")
assert 200 == response.status