Add missing checks for safe fileystem components
Currently it's not possible to exploit these.
This commit is contained in:
parent
dc501d5dc5
commit
5dbf9df876
@ -584,6 +584,8 @@ class Collection(BaseCollection):
|
|||||||
"""
|
"""
|
||||||
fs = []
|
fs = []
|
||||||
for href, item in vobject_items.items():
|
for href, item in vobject_items.items():
|
||||||
|
if not is_safe_filesystem_path_component(href):
|
||||||
|
raise UnsafePathError(href)
|
||||||
path = path_to_filesystem(self._filesystem_path, href)
|
path = path_to_filesystem(self._filesystem_path, href)
|
||||||
fs.append(open(path, "w", encoding=self.encoding, newline=""))
|
fs.append(open(path, "w", encoding=self.encoding, newline=""))
|
||||||
fs[-1].write(item.serialize())
|
fs[-1].write(item.serialize())
|
||||||
@ -595,6 +597,8 @@ class Collection(BaseCollection):
|
|||||||
|
|
||||||
@classmethod
|
@classmethod
|
||||||
def move(cls, item, to_collection, to_href):
|
def move(cls, item, to_collection, to_href):
|
||||||
|
if not is_safe_filesystem_path_component(to_href):
|
||||||
|
raise UnsafePathError(to_href)
|
||||||
os.replace(
|
os.replace(
|
||||||
path_to_filesystem(item.collection._filesystem_path, item.href),
|
path_to_filesystem(item.collection._filesystem_path, item.href),
|
||||||
path_to_filesystem(to_collection._filesystem_path, to_href))
|
path_to_filesystem(to_collection._filesystem_path, to_href))
|
||||||
|
Loading…
Reference in New Issue
Block a user