diff options
| author | Steve Manuel <nilslice@gmail.com> | 2016-11-16 02:17:09 -0800 |
|---|---|---|
| committer | Steve Manuel <nilslice@gmail.com> | 2016-11-16 02:17:09 -0800 |
| commit | cffc8906b5cff73d25aef71e83a79e361ecad917 (patch) | |
| tree | a9e339a371d96f5f09080536d146f9d8e3324796 | |
| parent | cfc71f914e0b683dceca4e55edfa46c5a315ec2c (diff) | |
testing restricted file server to limit public access from listing directory contents
| -rw-r--r-- | system/admin/filesystem.go | 36 | ||||
| -rw-r--r-- | system/admin/server.go | 4 |
2 files changed, 38 insertions, 2 deletions
diff --git a/system/admin/filesystem.go b/system/admin/filesystem.go new file mode 100644 index 0000000..4e64a26 --- /dev/null +++ b/system/admin/filesystem.go @@ -0,0 +1,36 @@ +package admin + +import ( + "net/http" + "os" +) + + +func restrict(dir http.Dir) justFilesFilesystem { + return justFilesFilesystem{dir} +} + +// the code below removes the open directory listing when accessing a URL which +// normally would point to a directory. code from golang-nuts mailing list: +// https://groups.google.com/d/msg/golang-nuts/bStLPdIVM6w/hidTJgDZpHcJ +// credit: Brad Fitzpatrick (c) 2012 + +type justFilesFilesystem struct { + fs http.FileSystem +} + +func (fs justFilesFilesystem) Open(name string) (http.File, error) { + f, err := fs.fs.Open(name) + if err != nil { + return nil, err + } + return neuteredReaddirFile{f}, nil +} + +type neuteredReaddirFile struct { + http.File +} + +func (f neuteredReaddirFile) Readdir(count int) ([]os.FileInfo, error) { + return nil, nil +} diff --git a/system/admin/server.go b/system/admin/server.go index ef2ae4b..75b48f6 100644 --- a/system/admin/server.go +++ b/system/admin/server.go @@ -41,11 +41,11 @@ func Run() { } staticDir := filepath.Join(pwd, "cmd", "ponzu", "vendor", "github.com", "bosssauce", "ponzu", "system") - http.Handle("/admin/static/", CacheControl(http.FileServer(http.Dir(staticDir)))) + http.Handle("/admin/static/", CacheControl(http.FileServer(restrict(http.Dir(staticDir))))) // API path needs to be registered within server package so that it is handled // even if the API server is not running. Otherwise, images/files uploaded // through the editor will not load within the admin system. uploadsDir := filepath.Join(pwd, "uploads") - http.Handle("/api/uploads/", CacheControl(http.StripPrefix("/api/uploads/", http.FileServer(http.Dir(uploadsDir))))) + http.Handle("/api/uploads/", CacheControl(http.StripPrefix("/api/uploads/", http.FileServer(restrict(http.Dir(uploadsDir)))))) } |