Merge pull request #341 from Unrud/patch-4

Prevent "regex injection"
2015-12-23 12:09:00 +01:00 · 2015-12-23 12:09:00 +01:00 · 1109973a92
commit 1109973a92
parent c7fe4777b1 4bfe7c9f79
1 changed files with 4 additions and 1 deletions
--- a/radicale/rights/regex.py
+++ b/radicale/rights/regex.py
@ -65,7 +65,10 @@ def _read_from_sections(user, collection_url, permission):
    """Get regex sections."""
    filename = os.path.expanduser(config.get("rights", "file"))
    rights_type = config.get("rights", "type").lower()
-    regex = ConfigParser({"login": user, "path": collection_url})
+    # Prevent "regex injection"
+    user_escaped = re.escape(user)
+    collection_url_escaped = re.escape(collection_url)
+    regex = ConfigParser({"login": user_escaped, "path": collection_url_escaped})
    if rights_type in DEFINED_RIGHTS:
        log.LOGGER.debug("Rights type '%s'" % rights_type)
        regex.readfp(StringIO(DEFINED_RIGHTS[rights_type]))