[BUG] folder based passwords dosent prevent acces via url
Closed this issue · 2 comments
[BUG] folder based passwords dosent prevent acces via url
Description
I'm not sure if this behavior is intended or a bug, but it appears that the file-based password protection feature does not effectively prevent direct access to a file via its URL.
Steps to Replicate:
- Create a folder and place a .goshs file inside it to enable password protection.
- Create a text file within the protected folder and add some content.
- Start goshs serving the parent directory of the created folde
- Attempt to access the file directly via the following URL:
localhost:(port)/(created folder)/(created file).
Expected Behavior
goshs prompts for a password and serves file content after authentication
Actual Behavior
file content is served without authentication
This might be true. Need to Look into it again. Pretty sure I messed up not implementing it for the file handler.
So I pushed a fix for it with the last commit b7c16ae. I designed it to be non recursive though as this would be an overkill to do.
So for example:
ACL in root of the shared folder says to block "test2.txt" and "blockall/" (folder). This is in fact the case. But a file within "blockall/" is not blocked unless you define a new .goshs file in this folder and block access to it. Same goes for the authentication. That is not ideal but everything else would be an overkill as I already explained.
I think this is an edge case to begin with and therefore think it is sufficient as a solution.