From 43bd77a1ad43d7cb24117bf3973f841221fd2c6e Mon Sep 17 00:00:00 2001
From: Seb Bacon <seb.bacon@gmail.com>
Date: Thu, 12 Jan 2012 07:47:16 +0000
Subject: Return 403 when attachment "folders" are spidered.  Fixes #340

---
 app/controllers/request_controller.rb | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

(limited to 'app/controllers/request_controller.rb')

diff --git a/app/controllers/request_controller.rb b/app/controllers/request_controller.rb
index 6e33fe043..fbd7d24d4 100644
--- a/app/controllers/request_controller.rb
+++ b/app/controllers/request_controller.rb
@@ -600,9 +600,13 @@ class RequestController < ApplicationController
     before_filter :authenticate_attachment, :only => [ :get_attachment, :get_attachment_as_html ]
     def authenticate_attachment
         # Test for hidden
-        incoming_message = IncomingMessage.find(params[:incoming_message_id])
-        if !incoming_message.info_request.user_can_view?(authenticated_user)
-            render :template => 'request/hidden', :status => 410 # gone
+        if request.path =~ /\/$/ 
+            raise PermissionDenied.new("Directory listing not allowed")
+        else
+            incoming_message = IncomingMessage.find(params[:incoming_message_id])
+            if !incoming_message.info_request.user_can_view?(authenticated_user)
+                render :template => 'request/hidden', :status => 410 # gone
+            end
         end
     end
 
-- 
cgit v1.2.3