8000 Do not leak directory info if append_index_html_on_directories = false by georgmu · Pull Request #421 · tower-rs/tower-http · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Do not leak directory info if append_index_html_on_directories = false #421

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 22, 2023
Merged

Do not leak directory info if append_index_html_on_directories = false #421

merged 1 commit into from
Nov 22, 2023

Conversation

georgmu
Copy link
Contributor
@georgmu georgmu commented Oct 6, 2023

Motivation

Currently it is possible to gain information about directories even if append_index_html_on_directories = false.

This is caused by the mechanism to redirect to trailing slash for directories (like testcase redirect_to_trailing_slash_on_dir()).

This way, an attacker could search for directories by testing URLs without trailing slash and then could continue the
search within such a subdirectory using the same mechanism.

Solution

This pull request prevents the redirect and directly returns 404 Not Found if append_index_html_on_directories = false.

@georgmu
Do not leak directory info if append_index_html_on_directories = false
49d01e3 
If append_index_html_on_directories is false, no info about directories
should be leaked.

Before this commit, one could identify directories by checking for temporary
redirects (like testcase redirect_to_trailing_slash_on_dir()).

This commit prevents the redirect and directly returns 404 Not found instead.
jplatte
jplatte approved these changes Nov 22, 2023
View reviewed changes
Copy link
Member
@jplatte jplatte left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! And sorry for the delay on reviewing.

@jplatte jplatte closed this Nov 22, 2023
@jplatte jplatte reopened this Nov 22, 2023
@jplatte jplatte merged commit 343627e into tower-rs:main Nov 22, 2023
@jplatte jplatte mentioned this pull request Nov 22, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jplatte jplatte jplatte approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@georgmu @jplatte
0