Forbid /media and /static file browsing. Resolve #1746.

evennia/server/server.py

@@ -546,7 +546,7 @@ if WEBSERVER_ENABLED:
 
     # Start a django-compatible webserver.
 
-    from evennia.server.webserver import DjangoWebRoot, WSGIWebServer, Website, LockableThreadPool
+    from evennia.server.webserver import DjangoWebRoot, WSGIWebServer, Website, LockableThreadPool, PrivateStaticRoot
 
     # start a thread pool and define the root url (/) as a wsgi resource
     # recognized by Django
@@ -555,9 +555,9 @@ if WEBSERVER_ENABLED:
 
     web_root = DjangoWebRoot(threads)
     # point our media resources to url /media
-    web_root.putChild(b"media", static.File(settings.MEDIA_ROOT))
+    web_root.putChild(b"media", PrivateStaticRoot(settings.MEDIA_ROOT))
     # point our static resources to url /static
-    web_root.putChild(b"static", static.File(settings.STATIC_ROOT))
+    web_root.putChild(b"static", PrivateStaticRoot(settings.STATIC_ROOT))
     EVENNIA.web_root = web_root
 
     if WEB_PLUGINS_MODULE:

evennia/server/webserver.py

@@ -14,7 +14,7 @@ a great example/aid on how to do this.)
 """
 import urllib.parse
 from urllib.parse import quote as urlquote
-from twisted.web import resource, http, server
+from twisted.web import resource, http, server, static
 from twisted.internet import reactor
 from twisted.application import internet
 from twisted.web.proxy import ReverseProxyResource
@@ -268,3 +268,14 @@ class WSGIWebServer(internet.TCPServer):
         """
         super().stopService()
         self.pool.stop()
+
+
+class PrivateStaticRoot(static.File):
+    """
+    This overrides the default static file resource so as to not make the
+    directory listings public (that is, if you go to /media or /static you
+    won't see an index of all static/media files on the server).
+
+    """
+    def directoryListing(self):
+        return resource.ForbiddenResource()