From 84062f77ebb2972c55998e1b63acd101f9ced074 Mon Sep 17 00:00:00 2001
From: Molly Miller <sysvinit@users.noreply.github.com>
Date: Sun, 20 Dec 2020 11:14:41 +0000
Subject: [PATCH 1/2] Merge common logic in GET and HEAD handling code.

There is shared logic in the GET and HEAD codepaths surrounding stat()ing the
requested file, and sanity checking that the request is indeed valid. This
commit de-duplicates this code into a single path.
---
 prosody-filer.go | 24 +++++++++++++-----------
 1 file changed, 13 insertions(+), 11 deletions(-)

diff --git a/prosody-filer.go b/prosody-filer.go
index 3b747e7..9e0baee 100644
--- a/prosody-filer.go
+++ b/prosody-filer.go
@@ -137,12 +137,16 @@ func handleRequest(w http.ResponseWriter, r *http.Request) {
 			http.Error(w, "403 Forbidden", 403)
 			return
 		}
-	} else if r.Method == "HEAD" {
+	} else if r.Method == "HEAD" || r.Method == "GET" {
 		fileinfo, err := os.Stat(absFilename)
 		if err != nil {
 			log.Println("Getting file information failed:", err)
 			http.Error(w, "404 Not Found", 404)
 			return
+		} else if fileinfo.IsDir() {
+			log.Println("Directory listing forbidden!")
+			http.Error(w, "403 Forbidden", 403)
+			return
 		}
 
 		/*
@@ -151,20 +155,18 @@ func handleRequest(w http.ResponseWriter, r *http.Request) {
 		 * relying on file extensions.
 		 */
 		contentType := mime.TypeByExtension(filepath.Ext(fileStorePath))
-		w.Header().Set("Content-Length", strconv.FormatInt(fileinfo.Size(), 10))
-		w.Header().Set("Content-Type", contentType)
-	} else if r.Method == "GET" {
-		contentType := mime.TypeByExtension(filepath.Ext(fileStorePath))
-		if f, err := os.Stat(absFilename); err != nil || f.IsDir() {
-			log.Println("Directory listing forbidden!")
-			http.Error(w, "403 Forbidden", 403)
-			return
-		}
 		if contentType == "" {
 			contentType = "application/octet-stream"
 		}
-		http.ServeFile(w, r, absFilename)
 		w.Header().Set("Content-Type", contentType)
+
+		if r.Method == "HEAD" {
+			w.Header().Set("Content-Length", strconv.FormatInt(fileinfo.Size(), 10))
+		} else {
+			http.ServeFile(w, r, absFilename)
+		}
+
+		return
 	} else if r.Method == "OPTIONS" {
 		w.Header().Set("Allow", ALLOWED_METHODS)
 		return

From ce597ed0cb799580272870dd96adc49a1fe542d0 Mon Sep 17 00:00:00 2001
From: Molly Miller <sysvinit@users.noreply.github.com>
Date: Sun, 20 Dec 2020 12:49:35 +0000
Subject: [PATCH 2/2] Create files without the executable bit set.

There's no particular reason why uploaded files should have the executable bit
set, and doing so probably has vague security implications.
---
 prosody-filer.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/prosody-filer.go b/prosody-filer.go
index 9e0baee..050d3d8 100644
--- a/prosody-filer.go
+++ b/prosody-filer.go
@@ -114,7 +114,7 @@ func handleRequest(w http.ResponseWriter, r *http.Request) {
 				return
 			}
 
-			file, err := os.OpenFile(absFilename, os.O_CREATE|os.O_EXCL|os.O_WRONLY, 0755)
+			file, err := os.OpenFile(absFilename, os.O_CREATE|os.O_EXCL|os.O_WRONLY, 0644)
 			defer file.Close()
 			if err != nil {
 				log.Println("Creating new file failed:", err)