tobias/radicale
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Prevent "regex injection"

Browse Source 
If an attacker is able to authenticate with a user name like .* he can bypass limitations imposed by "owner_write" and "owner_only".
This commit is contained in:
Unrud 2015-12-23 07:05:20 +01:00
parent c7fe4777b1
commit 4bfe7c9f79
1 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
radicale/rights/regex.py
View File

@ -65,7 +65,10 @@ def _read_from_sections(user, collection_url, permission):
"""Get regex sections.""" """Get regex sections."""
filename = os.path.expanduser(config.get("rights", "file")) filename = os.path.expanduser(config.get("rights", "file"))
rights_type = config.get("rights", "type").lower() rights_type = config.get("rights", "type").lower()
regex = ConfigParser({"login": user, "path": collection_url}) # Prevent "regex injection"
user_escaped = re.escape(user)
collection_url_escaped = re.escape(collection_url)
regex = ConfigParser({"login": user_escaped, "path": collection_url_escaped})
if rights_type in DEFINED_RIGHTS: if rights_type in DEFINED_RIGHTS:
log.LOGGER.debug("Rights type '%s'" % rights_type) log.LOGGER.debug("Rights type '%s'" % rights_type)
regex.readfp(StringIO(DEFINED_RIGHTS[rights_type])) regex.readfp(StringIO(DEFINED_RIGHTS[rights_type]))