From 823ce084e3701646a9cb8e94baac6e083021f736 Mon Sep 17 00:00:00 2001
From: visionmercer <62051836+visionmercer@users.noreply.github.com>
Date: Wed, 15 Apr 2026 10:49:26 +0200
Subject: [PATCH] Disable Directory Listings

---
 internal/handlers/handlers.go | 27 ++++++++++++++++++++++++++-
 test_secure/test.iso          |  0
 test_secure/test.txt          |  1 +
 3 files changed, 27 insertions(+), 1 deletion(-)
 create mode 100644 test_secure/test.iso
 create mode 100644 test_secure/test.txt

diff --git a/internal/handlers/handlers.go b/internal/handlers/handlers.go
index 6cd7ff8..c1801a9 100644
--- a/internal/handlers/handlers.go
+++ b/internal/handlers/handlers.go
@@ -209,7 +209,32 @@ func (h *Handler) RawFile(w http.ResponseWriter, r *http.Request) {
 }
 
 func (h *Handler) ServeStatic(w http.ResponseWriter, r *http.Request) {
-	http.StripPrefix("/static/", http.FileServer(h.staticFS)).ServeHTTP(w, r)
+	// Serve static files with directory listing completely disabled
+	filePath := strings.TrimPrefix(r.URL.Path, "/static/")
+	if filePath == "" || strings.HasSuffix(filePath, "/") || strings.Contains(filePath, "..") {
+		http.NotFound(w, r)
+		return
+	}
+
+	f, err := h.staticFS.Open(filePath)
+	if err != nil {
+		http.NotFound(w, r)
+		return
+	}
+	defer f.Close()
+
+	stat, err := f.Stat()
+	if err != nil {
+		http.NotFound(w, r)
+		return
+	}
+
+	if stat.IsDir() {
+		http.NotFound(w, r)
+		return
+	}
+
+	http.ServeContent(w, r, stat.Name(), stat.ModTime(), f)
 }
 
 func (h *Handler) openISO(relPath string) (*iso.Reader, error) {
diff --git a/test_secure/test.iso b/test_secure/test.iso
new file mode 100644
index 0000000..e69de29
diff --git a/test_secure/test.txt b/test_secure/test.txt
new file mode 100644
index 0000000..345e6ae
--- /dev/null
+++ b/test_secure/test.txt
@@ -0,0 +1 @@
+Test