From 24b61f32ff7a2f49aaf2d3d81045d2187eccce7d Mon Sep 17 00:00:00 2001
From: Dirk Klimpel <5740567+dklimpel@users.noreply.github.com>
Date: Fri, 14 Apr 2023 19:49:47 +0200
Subject: Disable directory listing for `StaticResource` (#15438)

---
 changelog.d/15438.misc |  1 +
 synapse/http/server.py | 10 ++++++++++
 2 files changed, 11 insertions(+)
 create mode 100644 changelog.d/15438.misc

diff --git a/changelog.d/15438.misc b/changelog.d/15438.misc
new file mode 100644
index 0000000000..1edcbac7e2
--- /dev/null
+++ b/changelog.d/15438.misc
@@ -0,0 +1 @@
+Disable directory listing for static resources in `/_matrix/static/`.
\ No newline at end of file
diff --git a/synapse/http/server.py b/synapse/http/server.py
index 7b760505b2..101dc2e747 100644
--- a/synapse/http/server.py
+++ b/synapse/http/server.py
@@ -46,6 +46,13 @@ from twisted.internet import defer, interfaces
 from twisted.internet.defer import CancelledError
 from twisted.python import failure
 from twisted.web import resource
+
+try:
+    from twisted.web.pages import notFound
+except ImportError:
+    from twisted.web.resource import NoResource as notFound  # type: ignore[assignment]
+
+from twisted.web.resource import IResource
 from twisted.web.server import NOT_DONE_YET, Request
 from twisted.web.static import File
 from twisted.web.util import redirectTo
@@ -569,6 +576,9 @@ class StaticResource(File):
         set_clickjacking_protection_headers(request)
         return super().render_GET(request)
 
+    def directoryListing(self) -> IResource:
+        return notFound()
+
 
 class UnrecognizedRequestResource(resource.Resource):
     """
-- 
cgit 1.4.1