Return 403 when attachment "folders" are spidered. Fixes #340

author: Seb Bacon <seb.bacon@gmail.com> 2012-01-12 07:47:16 +0000
committer: Seb Bacon <seb.bacon@gmail.com> 2012-01-12 07:47:16 +0000
commit: 43bd77a1ad43d7cb24117bf3973f841221fd2c6e (patch)
tree: f65b1ce7b1dc9916b62c20f64670292b9793b105 /app/controllers/request_controller.rb
parent: 8f2fa1ee943d5c85b67e5817b3eb2dfd31e87821 (diff)
1 files changed, 7 insertions, 3 deletions
diff --git a/app/controllers/request_controller.rb b/app/controllers/request_controller.rb
index 6e33fe043..fbd7d24d4 100644
--- a/app/controllers/request_controller.rb
+++ b/app/controllers/request_controller.rb
@@ -600,9 +600,13 @@ class RequestController < ApplicationController
     before_filter :authenticate_attachment, :only => [ :get_attachment, :get_attachment_as_html ]
     def authenticate_attachment
         # Test for hidden
-        incoming_message = IncomingMessage.find(params[:incoming_message_id])
-        if !incoming_message.info_request.user_can_view?(authenticated_user)
-            render :template => 'request/hidden', :status => 410 # gone
+        if request.path =~ /\/$/ 
+            raise PermissionDenied.new("Directory listing not allowed")
+        else
+            incoming_message = IncomingMessage.find(params[:incoming_message_id])
+            if !incoming_message.info_request.user_can_view?(authenticated_user)
+                render :template => 'request/hidden', :status => 410 # gone
+            end
         end
     end
author	Seb Bacon <seb.bacon@gmail.com>	2012-01-12 07:47:16 +0000
committer	Seb Bacon <seb.bacon@gmail.com>	2012-01-12 07:47:16 +0000
commit	43bd77a1ad43d7cb24117bf3973f841221fd2c6e (patch)
tree	f65b1ce7b1dc9916b62c20f64670292b9793b105 /app/controllers/request_controller.rb
parent	8f2fa1ee943d5c85b67e5817b3eb2dfd31e87821 (diff)