From 1e27a4c2df604fcd27a9405b34bc1753131b8edc Mon Sep 17 00:00:00 2001
From: ed <s@ocv.me>
Date: Mon, 5 Jul 2021 00:21:33 +0200
Subject: [PATCH] make thumb-dir.txt unretrievable

---
 copyparty/authsrv.py | 10 +++++++++-
 copyparty/httpcli.py |  4 +++-
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/copyparty/authsrv.py b/copyparty/authsrv.py
index a4442718..76cc4c17 100644
--- a/copyparty/authsrv.py
+++ b/copyparty/authsrv.py
@@ -242,6 +242,10 @@ class VFS(object):
         if flt:
             flt = {k: True for k in flt}
 
+        f1 = "{0}.hist{0}up2k.".format(os.sep)
+        f2a = os.sep + "dir.txt"
+        f2b = "{0}.hist{0}".format(os.sep)
+
         for vpath, apath, files, rd, vd in self.walk(
             "", vrem, [], uname, dots, scandir, False
         ):
@@ -275,7 +279,11 @@ class VFS(object):
                     del vd[x]
 
             # up2k filetring based on actual abspath
-            files = [x for x in files if "{0}.hist{0}up2k.".format(os.sep) not in x[1]]
+            files = [
+                x
+                for x in files
+                if f1 not in x[1] and (not x[1].endswith(f2a) or f2b not in x[1])
+            ]
 
             for f in [{"vp": v, "ap": a, "st": n[1]} for v, a, n in files]:
                 yield f
diff --git a/copyparty/httpcli.py b/copyparty/httpcli.py
index c54d75fd..26b9ba6f 100644
--- a/copyparty/httpcli.py
+++ b/copyparty/httpcli.py
@@ -1561,7 +1561,9 @@ class HttpCli(object):
             raise Pebkac(404)
 
         if self.readable:
-            if rem.startswith(".hist/up2k."):
+            if rem.startswith(".hist/up2k.") or (
+                rem.endswith("/dir.txt") and rem.startswith(".hist/th/")
+            ):
                 raise Pebkac(403)
 
             is_dir = stat.S_ISDIR(st.st_mode)