Check for conflicting file names

On Windows file systems the user "TESTUS~1" can access the data of the user "testuser".
2017-03-07 17:44:07 +01:00 · 2017-03-07 17:44:07 +01:00 · 2d170bd41f
commit 2d170bd41f
parent 9900251b8b
1 changed files with 12 additions and 0 deletions
--- a/radicale/storage.py
+++ b/radicale/storage.py
@ -172,7 +172,13 @@ def path_to_filesystem(root, *paths):
        for part in path.split("/"):
            if not is_safe_filesystem_path_component(part):
                raise UnsafePathError(part)
+            safe_path_parent = safe_path
            safe_path = os.path.join(safe_path, part)
+            # Check for conflicting files (e.g. case-insensitive file systems
+            # or short names on Windows file systems)
+            if os.path.lexists(safe_path):
+                if not part in os.listdir(safe_path_parent):
+                    raise CollidingPathError(part)
    return safe_path


@ -182,6 +188,12 @@ class UnsafePathError(ValueError):
        super().__init__(message)


+class CollidingPathError(ValueError):
+    def __init__(self, path):
+        message = "File name collision: %s" % path
+        super().__init__(message)
+
+
 class ComponentExistsError(ValueError):
    def __init__(self, path):
        message = "Component already exists: %s" % path