Skip to content

add --disable-indexing cli flag to completely disable directory indexing#1329

Merged
svenstaro merged 9 commits intosvenstaro:masterfrom
dyc3:disable-indexing
Feb 1, 2024
Merged

add --disable-indexing cli flag to completely disable directory indexing#1329
svenstaro merged 9 commits intosvenstaro:masterfrom
dyc3:disable-indexing

Conversation

@dyc3
Copy link
Copy Markdown
Contributor

@dyc3 dyc3 commented Jan 29, 2024

closes #1328

@svenstaro
Copy link
Copy Markdown
Owner

svenstaro commented Jan 29, 2024

Please add a test for this. It's a fairly impactful change.

svenstaro
svenstaro requested changes Jan 30, 2024
View reviewed changes
src/listing.rs Outdated
Comment on lines +379 to +387
if conf.disable_indexing {
return Ok(ServiceResponse::new(
req.clone(),
HttpResponse::NotFound()
.content_type(mime::TEXT_PLAIN_UTF_8)
.body("File not found."),
));
}

Copy link
Copy Markdown
Owner

@svenstaro svenstaro Jan 29, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Doesn't putting it here result in the index still being downloadable via requesting an archive? This seems to me like a potential security problem or at least something people might not expect. I think it might be safer to prohibit index generation entirely in main.rs.

Copy link
Copy Markdown
Contributor Author

@dyc3 dyc3 Jan 30, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wasn't aware that was a thing. I'll take a look.

Copy link
Copy Markdown
Contributor Author

@dyc3 dyc3 Jan 30, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After looking at it closer, I think it'll be more clean to just move this check all the way to the top of this function. All file listings seem to go through this handler.

Plus, it seems to render a nicer looking error page when it's handled here.

@dyc3
Copy link
Copy Markdown
Contributor Author

dyc3 commented Jan 30, 2024

I added a couple tests. I'm not super familiar with your codebase, so let me know if there's some better assertions I could use.

svenstaro
svenstaro reviewed Jan 30, 2024
View reviewed changes
@dyc3 dyc3 requested a review from svenstaro January 30, 2024 14:48
svenstaro
svenstaro reviewed Feb 1, 2024
View reviewed changes
src/listing.rs
Comment on lines +164 to +171
if conf.disable_indexing {
return Ok(ServiceResponse::new(
req.clone(),
HttpResponse::NotFound()
.content_type(mime::TEXT_PLAIN_UTF_8)
.body("File not found."),
));
}
Copy link
Copy Markdown
Owner

@svenstaro svenstaro Feb 1, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is probably fine but I'm wondering: Can we just disable indexing entirely in main.rs?

Copy link
Copy Markdown
Contributor Author

@dyc3 dyc3 Feb 1, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Technically yes, and if you want to see what that looks like, you can check out 7b5b1a0. Reiterating what I said in this comment I think it would be less complicated to do it like this.

@svenstaro
Copy link
Copy Markdown
Owner

svenstaro commented Feb 1, 2024

Excellent stuff, tests are spot on, too!

@svenstaro svenstaro merged commit 85bbe59 into svenstaro:master Feb 1, 2024
@dyc3 dyc3 deleted the disable-indexing branch February 1, 2024 03:46
svenstaro added a commit that referenced this pull request Feb 1, 2024
@svenstaro
Add CHANGELOG entry for #1329
2b73292
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@svenstaro svenstaro svenstaro requested changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add cli flag to disable indexing

2 participants

@dyc3 @svenstaro