From 9cbd7fe1aab0f666f96cc00a73ae1b5a6d85370a Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@libreserver.org>
Date: Mon, 19 May 2025 11:42:05 +0100
Subject: [PATCH] Limit access to accounts directory

---
 daemon_get.py  | 8 ++++++++
 daemon_post.py | 8 ++++++++
 2 files changed, 16 insertions(+)

diff --git a/daemon_get.py b/daemon_get.py
index 245689934..8694b318f 100644
--- a/daemon_get.py
+++ b/daemon_get.py
@@ -311,6 +311,14 @@ def daemon_http_get(self) -> None:
         http_404(self, 145)
         return
 
+    # accounts directory should not be accessible
+    if self.path.startswith('/accounts/'):
+        if not self.path.startswith('/accounts/avatars') and \
+           not self.path.startswith('/accounts/headers'):
+            print('GET HTTP Attempt to get accounts file ' + self.path)
+            http_404(self, 145)
+            return
+
     # php
     if self.path.endswith('.php'):
         print('GET HTTP Attempt to access PHP file ' + self.path)
diff --git a/daemon_post.py b/daemon_post.py
index 61cc20295..dcd4426f9 100644
--- a/daemon_post.py
+++ b/daemon_post.py
@@ -122,6 +122,14 @@ def daemon_http_post(self) -> None:
         http_404(self, 146)
         return
 
+    # accounts directory should not be accessible
+    if self.path.startswith('/accounts/'):
+        if not self.path.startswith('/accounts/avatars') and \
+           not self.path.startswith('/accounts/headers'):
+            print('POST HTTP Attempt to post accounts file ' + self.path)
+            http_404(self, 146)
+            return
+
     # php
     if self.path.endswith('.php'):
         print('POST HTTP Attempt to access PHP file ' + self.path)