From f3edd8013d6bb6f108a1ff203786b3fcfec2b8d1 Mon Sep 17 00:00:00 2001
From: shortcutme <tamas@zeronet.io>
Date: Sun, 9 Apr 2017 16:54:28 +0200
Subject: [PATCH] Rev2034, Fix leaking users.json via webui

---
 src/Config.py       | 2 +-
 src/Test/TestWeb.py | 9 +++++----
 src/Ui/UiRequest.py | 2 ++
 3 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/src/Config.py b/src/Config.py
index b690848c..72084e5a 100644
--- a/src/Config.py
+++ b/src/Config.py
@@ -10,7 +10,7 @@ class Config(object):
 
     def __init__(self, argv):
         self.version = "0.5.3"
-        self.rev = 2033
+        self.rev = 2034
         self.argv = argv
         self.action = None
         self.config_file = "zeronet.conf"
diff --git a/src/Test/TestWeb.py b/src/Test/TestWeb.py
index 059bfae6..8cbce1cf 100644
--- a/src/Test/TestWeb.py
+++ b/src/Test/TestWeb.py
@@ -38,10 +38,11 @@ class TestWeb:
         assert "Forbidden" in wget("%s/1EU1tbG9oC1A8jz2ouVwGZyQ5asrNsE4Vr/../sites.json" % site_url)
         assert "Forbidden" in wget("%s/1EU1tbG9oC1A8jz2ouVwGZyQ5asrNsE4Vr/..//sites.json" % site_url)
         assert "Forbidden" in wget("%s/1EU1tbG9oC1A8jz2ouVwGZyQ5asrNsE4Vr/../../zeronet.py" % site_url)
-        
-        assert "Not Found" in wget("%s/content.db" % site_url)
-        assert "Not Found" in wget("%s/./key-rsa.pem" % site_url)
-        assert "Not Found" in wget("%s/././././././././././//////sites.json" % site_url)
+
+        assert "Forbidden" in wget("%s/content.db" % site_url)
+        assert "Forbidden" in wget("%s/./users.json" % site_url)
+        assert "Forbidden" in wget("%s/./key-rsa.pem" % site_url)
+        assert "Forbidden" in wget("%s/././././././././././//////sites.json" % site_url)
 
     def testLinkSecurity(self, browser, site_url):
         browser.get("%s/1EU1tbG9oC1A8jz2ouVwGZyQ5asrNsE4Vr/test/security.html" % site_url)
diff --git a/src/Ui/UiRequest.py b/src/Ui/UiRequest.py
index 4d004fb0..44fbd6af 100644
--- a/src/Ui/UiRequest.py
+++ b/src/Ui/UiRequest.py
@@ -374,6 +374,8 @@ class UiRequest(object):
                 if site.settings["own"]:
                     from Debug import DebugMedia
                     DebugMedia.merge(file_path)
+            if not address or address == ".":
+                return self.error403(path_parts["inner_path"])
             if os.path.isfile(file_path):  # File exists
                 return self.actionFile(file_path, header_length=header_length)
             elif os.path.isdir(file_path):  # If this is actually a folder, add "/" and redirect