Merge URI sanitize fix

This commit is contained in:
Pieter Naaijkens 2011-06-14 16:21:56 +02:00 committed by Guillaume Ayoub
parent da42112740
commit 00d8b08341
2 changed files with 15 additions and 1 deletions

View File

@ -31,6 +31,7 @@ should have been included in this package.
import os
import pprint
import base64
import posixpath
import socket
import ssl
import wsgiref.simple_server
@ -38,9 +39,11 @@ import wsgiref.simple_server
# pylint: disable=F0401
try:
from http import client, server
import urllib.parse as urllib
except ImportError:
import httplib as client
import BaseHTTPServer as server
import urllib
# pylint: enable=F0401
from radicale import acl, config, ical, log, xmlutils
@ -137,6 +140,12 @@ class Application(object):
pass
raise UnicodeDecodeError
@staticmethod
def sanitize_uri(uri):
"""Clean URI: unquote and remove /../ to prevent access to other data."""
uri = posixpath.normpath(urllib.unquote(uri))
return uri
def __call__(self, environ, start_response):
"""Manage a request."""
log.LOGGER.info("%s request at %s received" % (
@ -144,6 +153,10 @@ class Application(object):
headers = pprint.pformat(self.headers_log(environ))
log.LOGGER.debug("Request headers:\n%s" % headers)
# Sanitize request URI
environ["PATH_INFO"] = self.sanitize_uri(environ["PATH_INFO"])
log.LOGGER.debug("Sanitized path: %s", environ["PATH_INFO"])
# Get content
content_length = int(environ.get("CONTENT_LENGTH") or 0)
if content_length:

View File

@ -183,7 +183,8 @@ class Calendar(object):
The ``path`` is relative to the storage folder.
"""
attributes = posixpath.normpath(path.strip("/")).split("/")
# First do normpath and then strip, to prevent access to FOLDER/../
attributes = posixpath.normpath(path).strip("/").split("/")
if not attributes:
return None
if attributes[-1].endswith(".ics"):