summary refs log tree commit diff
diff options
context:
space:
mode:
authorDirk Klimpel <5740567+dklimpel@users.noreply.github.com>2023-04-14 19:49:47 +0200
committerGitHub <noreply@github.com>2023-04-14 13:49:47 -0400
commit24b61f32ff7a2f49aaf2d3d81045d2187eccce7d (patch)
treed1c0e8bf426753b9aaad4cca8587d5b37fbcaa9b
parentLoad `/capabilities` endpoint on workers (#15436) (diff)
downloadsynapse-24b61f32ff7a2f49aaf2d3d81045d2187eccce7d.tar.xz
Disable directory listing for `StaticResource` (#15438)
-rw-r--r--changelog.d/15438.misc1
-rw-r--r--synapse/http/server.py10
2 files changed, 11 insertions, 0 deletions
diff --git a/changelog.d/15438.misc b/changelog.d/15438.misc
new file mode 100644
index 0000000000..1edcbac7e2
--- /dev/null
+++ b/changelog.d/15438.misc
@@ -0,0 +1 @@
+Disable directory listing for static resources in `/_matrix/static/`.
\ No newline at end of file
diff --git a/synapse/http/server.py b/synapse/http/server.py
index 7b760505b2..101dc2e747 100644
--- a/synapse/http/server.py
+++ b/synapse/http/server.py
@@ -46,6 +46,13 @@ from twisted.internet import defer, interfaces
 from twisted.internet.defer import CancelledError
 from twisted.python import failure
 from twisted.web import resource
+
+try:
+    from twisted.web.pages import notFound
+except ImportError:
+    from twisted.web.resource import NoResource as notFound  # type: ignore[assignment]
+
+from twisted.web.resource import IResource
 from twisted.web.server import NOT_DONE_YET, Request
 from twisted.web.static import File
 from twisted.web.util import redirectTo
@@ -569,6 +576,9 @@ class StaticResource(File):
         set_clickjacking_protection_headers(request)
         return super().render_GET(request)
 
+    def directoryListing(self) -> IResource:
+        return notFound()
+
 
 class UnrecognizedRequestResource(resource.Resource):
     """