Disable directory listings (fix #4701)

author: Anton Tananaev <anton.tananaev@gmail.com> 2021-06-19 22:53:36 -0700
committer: Anton Tananaev <anton.tananaev@gmail.com> 2021-06-19 22:53:36 -0700
commit: f2c949998733734543be2ec795b2aa9b909b0044 (patch)
tree: f22fa609f1dbc0640c4bcda2192f422b4e5a34eb /src/main/java/org/traccar/api
parent: cfe72dc8cded38c6426fdcc6db22defeae2e1caf (diff)
download: traccar-server-f2c949998733734543be2ec795b2aa9b909b0044.tar.gz
traccar-server-f2c949998733734543be2ec795b2aa9b909b0044.tar.bz2
traccar-server-f2c949998733734543be2ec795b2aa9b909b0044.zip
1 files changed, 5 insertions, 8 deletions
diff --git a/src/main/java/org/traccar/api/MediaFilter.java b/src/main/java/org/traccar/api/MediaFilter.java
index 53539770f..77731a810 100644
--- a/src/main/java/org/traccar/api/MediaFilter.java
+++ b/src/main/java/org/traccar/api/MediaFilter.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2018 Anton Tananaev (anton@traccar.org)
+ * Copyright 2018 - 2021 Anton Tananaev (anton@traccar.org)
  * Copyright 2018 Andrey Kunitsyn (andrey@traccar.org)
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
@@ -62,20 +62,17 @@ public class MediaFilter implements Filter {
             }
 
             String path = ((HttpServletRequest) request).getPathInfo();
-            String[] parts = path.split("/");
-            if (parts.length < 2 || parts.length == 2 && !path.endsWith("/")) {
-                Context.getPermissionsManager().checkAdmin(userId);
-            } else {
+            String[] parts = path != null ? path.split("/") : null;
+            if (parts != null && parts.length >= 2) {
                 Device device = Context.getDeviceManager().getByUniqueId(parts[1]);
                 if (device != null) {
                     Context.getPermissionsManager().checkDevice(userId, device.getId());
-                } else {
-                    httpResponse.sendError(HttpServletResponse.SC_NOT_FOUND);
+                    chain.doFilter(request, response);
                     return;
                 }
             }
 
-            chain.doFilter(request, response);
+            httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN);
         } catch (SecurityException e) {
             httpResponse.setStatus(HttpServletResponse.SC_FORBIDDEN);
             httpResponse.getWriter().println(Log.exceptionStack(e));
author	Anton Tananaev <anton.tananaev@gmail.com>	2021-06-19 22:53:36 -0700
committer	Anton Tananaev <anton.tananaev@gmail.com>	2021-06-19 22:53:36 -0700
commit	f2c949998733734543be2ec795b2aa9b909b0044 (patch)
tree	f22fa609f1dbc0640c4bcda2192f422b4e5a34eb /src/main/java/org/traccar/api
parent	cfe72dc8cded38c6426fdcc6db22defeae2e1caf (diff)
download	traccar-server-f2c949998733734543be2ec795b2aa9b909b0044.tar.gz traccar-server-f2c949998733734543be2ec795b2aa9b909b0044.tar.bz2 traccar-server-f2c949998733734543be2ec795b2aa9b909b0044.zip