From 48926cd7f002042ef16c01c2ff656c571436436a Mon Sep 17 00:00:00 2001 From: dklimpel <5740567+dklimpel@users.noreply.github.com> Date: Fri, 14 Apr 2023 17:26:18 +0200 Subject: [PATCH 1/6] Disable directory listing for `StaticResource` --- synapse/http/server.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/synapse/http/server.py b/synapse/http/server.py index 7b760505b25a..84bbd7e0344e 100644 --- a/synapse/http/server.py +++ b/synapse/http/server.py @@ -569,6 +569,9 @@ def render_GET(self, request: Request) -> bytes: set_clickjacking_protection_headers(request) return super().render_GET(request) + def directoryListing(self) -> resource.NoResource: + return self.childNotFound + class UnrecognizedRequestResource(resource.Resource): """ From 41899c4ee0528056b4b9ca25a9ffe0c2cca45ed0 Mon Sep 17 00:00:00 2001 From: dklimpel <5740567+dklimpel@users.noreply.github.com> Date: Fri, 14 Apr 2023 17:29:51 +0200 Subject: [PATCH 2/6] newsfile --- changelog.d/15438.misc | 1 + 1 file changed, 1 insertion(+) create mode 100644 changelog.d/15438.misc diff --git a/changelog.d/15438.misc b/changelog.d/15438.misc new file mode 100644 index 000000000000..1edcbac7e294 --- /dev/null +++ b/changelog.d/15438.misc @@ -0,0 +1 @@ +Disable directory listing for static resources in `/_matrix/static/`. \ No newline at end of file From c69cdf71b3ff10b5e5fd6f113b09908f9b17cd01 Mon Sep 17 00:00:00 2001 From: dklimpel <5740567+dklimpel@users.noreply.github.com> Date: Fri, 14 Apr 2023 18:19:25 +0200 Subject: [PATCH 3/6] use pages.notFound --- synapse/http/server.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/synapse/http/server.py b/synapse/http/server.py index 84bbd7e0344e..58b60d7611d5 100644 --- a/synapse/http/server.py +++ b/synapse/http/server.py @@ -46,6 +46,8 @@ from twisted.internet.defer import CancelledError from twisted.python import failure from twisted.web import resource +from twisted.web.pages import notFound +from twisted.web.resource import IResource from twisted.web.server import NOT_DONE_YET, Request from twisted.web.static import File from twisted.web.util import redirectTo @@ -569,8 +571,8 @@ def render_GET(self, request: Request) -> bytes: set_clickjacking_protection_headers(request) return super().render_GET(request) - def directoryListing(self) -> resource.NoResource: - return self.childNotFound + def directoryListing(self) -> IResource: + return notFound() class UnrecognizedRequestResource(resource.Resource): From e3bd59b9582cff4788ea731793d5f70b909e71ad Mon Sep 17 00:00:00 2001 From: Dirk Klimpel <5740567+dklimpel@users.noreply.github.com> Date: Fri, 14 Apr 2023 18:41:01 +0200 Subject: [PATCH 4/6] Update synapse/http/server.py Co-authored-by: Patrick Cloke --- synapse/http/server.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/synapse/http/server.py b/synapse/http/server.py index 58b60d7611d5..d95d67e2a2f7 100644 --- a/synapse/http/server.py +++ b/synapse/http/server.py @@ -46,7 +46,10 @@ from twisted.internet.defer import CancelledError from twisted.python import failure from twisted.web import resource -from twisted.web.pages import notFound +try: + from twisted.web.pages import notFound +except ImportError: + from twisted.web.resource import NoResource as notFound from twisted.web.resource import IResource from twisted.web.server import NOT_DONE_YET, Request from twisted.web.static import File From 80cace5a742535318f9e85d5afdb8fbada624164 Mon Sep 17 00:00:00 2001 From: dklimpel <5740567+dklimpel@users.noreply.github.com> Date: Fri, 14 Apr 2023 18:55:14 +0200 Subject: [PATCH 5/6] linz --- synapse/http/server.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/synapse/http/server.py b/synapse/http/server.py index d95d67e2a2f7..3b6dd2e7e54e 100644 --- a/synapse/http/server.py +++ b/synapse/http/server.py @@ -46,10 +46,12 @@ from twisted.internet.defer import CancelledError from twisted.python import failure from twisted.web import resource + try: from twisted.web.pages import notFound except ImportError: from twisted.web.resource import NoResource as notFound + from twisted.web.resource import IResource from twisted.web.server import NOT_DONE_YET, Request from twisted.web.static import File From 3a7db1c7028c91b93e8f2cb3e46f01a40763ca49 Mon Sep 17 00:00:00 2001 From: dklimpel <5740567+dklimpel@users.noreply.github.com> Date: Fri, 14 Apr 2023 19:05:22 +0200 Subject: [PATCH 6/6] mypy --- synapse/http/server.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/synapse/http/server.py b/synapse/http/server.py index 3b6dd2e7e54e..101dc2e747d0 100644 --- a/synapse/http/server.py +++ b/synapse/http/server.py @@ -50,7 +50,7 @@ try: from twisted.web.pages import notFound except ImportError: - from twisted.web.resource import NoResource as notFound + from twisted.web.resource import NoResource as notFound # type: ignore[assignment] from twisted.web.resource import IResource from twisted.web.server import NOT_DONE_YET, Request