Bridge should refrain from uploading htm/l files to the media server.

[derram]

This just seems like a huge security hazard and I didn't see a way to prevent in on the caddy plugin side.

[42wim]

I understand it could be annoying, but what exactly is the security hazard ?

Haven't tested it but I think you can get people to download the file instead of showing it (if that's the issue you're referring to) by using the mime setting

https://caddyserver.com/docs/mime

mime {
   .html application/octet-stream
   .htm application/octet-stream
}

[derram]

Yes, displaying it is the problem because a malicious user could upload something bad enough to get a vps/domain provider to pull an account without appeal.

Using the mime setting would prevent me from setting my own index.html file to hide the file index as well, I believe.

[42wim]

From the caddy docs.

By default, file listings are disabled and a 
request to a directory path (where no index file
is present) will result in a 404 for obscurity 
reasons.

So you don't need to put an index file yourself

[42wim]

Could you confirm if this fixes your issue ?
It would be handy to have an extension blacklist filter though.

[derram]

Maybe the upload plugin changes something because the file index was definitely visible before I set an index file.

Also I'm just using the caddy file from the media server setup documentation so I don't think it's anything in there.

[42wim]

Oh, I see, if you used the documentation, please remove the browse command from your caddy config.
This will disable the index listing

[42wim]

I've added an option to master so you can select which files can be blacklisted

#MediaDownloadBlacklist allows you to blacklist specific files from being downloaded.
#Filenames matching these regexp will not be download/uploaded to the mediaserver
#You can use regex for this, see https://regex-golang.appspot.com/assets/html/index.html for more regex info
#OPTIONAL (default empty)
MediaDownloadBlacklist=[".html$",".htm$"]

[derram]

Thanks again!