aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorAnton Tananaev <anton.tananaev@gmail.com>2021-06-19 22:53:36 -0700
committerAnton Tananaev <anton.tananaev@gmail.com>2021-06-19 22:53:36 -0700
commitf2c949998733734543be2ec795b2aa9b909b0044 (patch)
treef22fa609f1dbc0640c4bcda2192f422b4e5a34eb /src
parentcfe72dc8cded38c6426fdcc6db22defeae2e1caf (diff)
downloadtrackermap-server-f2c949998733734543be2ec795b2aa9b909b0044.tar.gz
trackermap-server-f2c949998733734543be2ec795b2aa9b909b0044.tar.bz2
trackermap-server-f2c949998733734543be2ec795b2aa9b909b0044.zip
Disable directory listings (fix #4701)
Diffstat (limited to 'src')
-rw-r--r--src/main/java/org/traccar/api/MediaFilter.java13
-rw-r--r--src/main/java/org/traccar/web/WebServer.java3
2 files changed, 7 insertions, 9 deletions
diff --git a/src/main/java/org/traccar/api/MediaFilter.java b/src/main/java/org/traccar/api/MediaFilter.java
index 53539770f..77731a810 100644
--- a/src/main/java/org/traccar/api/MediaFilter.java
+++ b/src/main/java/org/traccar/api/MediaFilter.java
@@ -1,5 +1,5 @@
/*
- * Copyright 2018 Anton Tananaev (anton@traccar.org)
+ * Copyright 2018 - 2021 Anton Tananaev (anton@traccar.org)
* Copyright 2018 Andrey Kunitsyn (andrey@traccar.org)
*
* Licensed under the Apache License, Version 2.0 (the "License");
@@ -62,20 +62,17 @@ public class MediaFilter implements Filter {
}
String path = ((HttpServletRequest) request).getPathInfo();
- String[] parts = path.split("/");
- if (parts.length < 2 || parts.length == 2 && !path.endsWith("/")) {
- Context.getPermissionsManager().checkAdmin(userId);
- } else {
+ String[] parts = path != null ? path.split("/") : null;
+ if (parts != null && parts.length >= 2) {
Device device = Context.getDeviceManager().getByUniqueId(parts[1]);
if (device != null) {
Context.getPermissionsManager().checkDevice(userId, device.getId());
- } else {
- httpResponse.sendError(HttpServletResponse.SC_NOT_FOUND);
+ chain.doFilter(request, response);
return;
}
}
- chain.doFilter(request, response);
+ httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN);
} catch (SecurityException e) {
httpResponse.setStatus(HttpServletResponse.SC_FORBIDDEN);
httpResponse.getWriter().println(Log.exceptionStack(e));
diff --git a/src/main/java/org/traccar/web/WebServer.java b/src/main/java/org/traccar/web/WebServer.java
index ffa06adfd..04c320839 100644
--- a/src/main/java/org/traccar/web/WebServer.java
+++ b/src/main/java/org/traccar/web/WebServer.java
@@ -1,5 +1,5 @@
/*
- * Copyright 2012 - 2020 Anton Tananaev (anton@traccar.org)
+ * Copyright 2012 - 2021 Anton Tananaev (anton@traccar.org)
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -136,6 +136,7 @@ public class WebServer {
private void initWebApp(Config config, ServletContextHandler servletHandler) {
ServletHolder servletHolder = new ServletHolder(DefaultServlet.class);
servletHolder.setInitParameter("resourceBase", new File(config.getString(Keys.WEB_PATH)).getAbsolutePath());
+ servletHolder.setInitParameter("dirAllowed", "false");
if (config.getBoolean(Keys.WEB_DEBUG)) {
servletHandler.setWelcomeFiles(new String[] {"debug.html", "index.html"});
} else {