tobias/radicale
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

assert sanitized and stripped paths

Browse Source
This commit is contained in:
Unrud
2018-08-28 16:19:50 +02:00
parent c08754cf92
commit 5429f5c1a9
19 changed files with 108 additions and 72 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
radicale/web/internal.py
View File

@ -48,9 +48,11 @@ class Web(web.BaseWeb):
"internal_data")
def get(self, environ, base_prefix, path, user):
assert path == "/.web" or path.startswith("/.web/")
assert pathutils.sanitize_path(path) == path
try:
filesystem_path = pathutils.path_to_filesystem(
self.folder, path[len("/.web"):])
self.folder, path[len("/.web"):].strip("/"))
except ValueError as e:
logger.debug("Web content with unsafe path %r requested: %s",
path, e, exc_info=True)

4
radicale/web/none.py
View File

@ -16,11 +16,13 @@
from http import client
from radicale import httputils, web
from radicale import httputils, pathutils, web
class Web(web.BaseWeb):
def get(self, environ, base_prefix, path, user):
assert path == "/.web" or path.startswith("/.web/")
assert pathutils.sanitize_path(path) == path
if path != "/.web":
return httputils.NOT_FOUND
return client.OK, {"Content-Type": "text/plain"}, "Radicale works!"