From 139076faee768a226cb597d9353527ada2c10539 Mon Sep 17 00:00:00 2001
From: Unrud <unrud@openaliasbox.org>
Date: Sun, 4 Sep 2016 20:18:44 +0200
Subject: [PATCH] Sanitize URLs from XML requests

---
 radicale/xmlutils.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/radicale/xmlutils.py b/radicale/xmlutils.py
index c8f41ff..7e91192 100644
--- a/radicale/xmlutils.py
+++ b/radicale/xmlutils.py
@@ -766,7 +766,8 @@ def report(base_prefix, path, xml_request, collection):
             # Read rfc4791-7.9 for info
             hreferences = set()
             for href_element in root.findall(_tag("D", "href")):
-                href_path = unquote(urlparse(href_element.text).path)
+                href_path = storage.sanitize_path(
+                    unquote(urlparse(href_element.text).path))
                 if (href_path + "/").startswith(base_prefix + "/"):
                     hreferences.add(href_path[len(base_prefix):])
         else: