diff options
author | Anton Tananaev <anton.tananaev@gmail.com> | 2021-06-19 22:53:36 -0700 |
---|---|---|
committer | Anton Tananaev <anton.tananaev@gmail.com> | 2021-06-19 22:53:36 -0700 |
commit | f2c949998733734543be2ec795b2aa9b909b0044 (patch) | |
tree | f22fa609f1dbc0640c4bcda2192f422b4e5a34eb /src | |
parent | cfe72dc8cded38c6426fdcc6db22defeae2e1caf (diff) | |
download | trackermap-server-f2c949998733734543be2ec795b2aa9b909b0044.tar.gz trackermap-server-f2c949998733734543be2ec795b2aa9b909b0044.tar.bz2 trackermap-server-f2c949998733734543be2ec795b2aa9b909b0044.zip |
Disable directory listings (fix #4701)
Diffstat (limited to 'src')
-rw-r--r-- | src/main/java/org/traccar/api/MediaFilter.java | 13 | ||||
-rw-r--r-- | src/main/java/org/traccar/web/WebServer.java | 3 |
2 files changed, 7 insertions, 9 deletions
diff --git a/src/main/java/org/traccar/api/MediaFilter.java b/src/main/java/org/traccar/api/MediaFilter.java index 53539770f..77731a810 100644 --- a/src/main/java/org/traccar/api/MediaFilter.java +++ b/src/main/java/org/traccar/api/MediaFilter.java @@ -1,5 +1,5 @@ /* - * Copyright 2018 Anton Tananaev (anton@traccar.org) + * Copyright 2018 - 2021 Anton Tananaev (anton@traccar.org) * Copyright 2018 Andrey Kunitsyn (andrey@traccar.org) * * Licensed under the Apache License, Version 2.0 (the "License"); @@ -62,20 +62,17 @@ public class MediaFilter implements Filter { } String path = ((HttpServletRequest) request).getPathInfo(); - String[] parts = path.split("/"); - if (parts.length < 2 || parts.length == 2 && !path.endsWith("/")) { - Context.getPermissionsManager().checkAdmin(userId); - } else { + String[] parts = path != null ? path.split("/") : null; + if (parts != null && parts.length >= 2) { Device device = Context.getDeviceManager().getByUniqueId(parts[1]); if (device != null) { Context.getPermissionsManager().checkDevice(userId, device.getId()); - } else { - httpResponse.sendError(HttpServletResponse.SC_NOT_FOUND); + chain.doFilter(request, response); return; } } - chain.doFilter(request, response); + httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN); } catch (SecurityException e) { httpResponse.setStatus(HttpServletResponse.SC_FORBIDDEN); httpResponse.getWriter().println(Log.exceptionStack(e)); diff --git a/src/main/java/org/traccar/web/WebServer.java b/src/main/java/org/traccar/web/WebServer.java index ffa06adfd..04c320839 100644 --- a/src/main/java/org/traccar/web/WebServer.java +++ b/src/main/java/org/traccar/web/WebServer.java @@ -1,5 +1,5 @@ /* - * Copyright 2012 - 2020 Anton Tananaev (anton@traccar.org) + * Copyright 2012 - 2021 Anton Tananaev (anton@traccar.org) * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -136,6 +136,7 @@ public class WebServer { private void initWebApp(Config config, ServletContextHandler servletHandler) { ServletHolder servletHolder = new ServletHolder(DefaultServlet.class); servletHolder.setInitParameter("resourceBase", new File(config.getString(Keys.WEB_PATH)).getAbsolutePath()); + servletHolder.setInitParameter("dirAllowed", "false"); if (config.getBoolean(Keys.WEB_DEBUG)) { servletHandler.setWelcomeFiles(new String[] {"debug.html", "index.html"}); } else { |