403 for static directory listing, closes #740

2025-12-10 16:51:24 +01:00 · 2020-04-27 11:29:04 -07:00 · 2020-04-27 11:29:04 -07:00 · 89c4ddd482
commit 89c4ddd482
parent 25014ca25e
2 changed files with 9 additions and 0 deletions
--- a/datasette/utils/asgi.py
+++ b/datasette/utils/asgi.py
@ -328,6 +328,9 @@ def asgi_static(root_path, chunk_size=4096, headers=None, content_type=None):
        except FileNotFoundError:
            await asgi_send_html(send, "404", 404)
            return
+        if full_path.is_dir():
+            await asgi_send_html(send, "403: Directory listing is not allowed", 403)
+            return
        # Ensure full_path is within root_path to avoid weird "../" tricks
        try:
            full_path.relative_to(root_path)