Merge branch 'master' into lightning
This commit is contained in:
commit
87a4a4e012
@ -31,6 +31,7 @@ should have been included in this package.
|
||||
import os
|
||||
import pprint
|
||||
import base64
|
||||
import posixpath
|
||||
import socket
|
||||
import ssl
|
||||
import wsgiref.simple_server
|
||||
@ -38,9 +39,11 @@ import wsgiref.simple_server
|
||||
# pylint: disable=F0401
|
||||
try:
|
||||
from http import client, server
|
||||
import urllib.parse as urllib
|
||||
except ImportError:
|
||||
import httplib as client
|
||||
import BaseHTTPServer as server
|
||||
import urllib
|
||||
# pylint: enable=F0401
|
||||
|
||||
from radicale import acl, config, ical, log, xmlutils
|
||||
@ -137,6 +140,12 @@ class Application(object):
|
||||
pass
|
||||
raise UnicodeDecodeError
|
||||
|
||||
@staticmethod
|
||||
def sanitize_uri(uri):
|
||||
"""Clean URI: unquote and remove /../ to prevent access to other data."""
|
||||
uri = posixpath.normpath(urllib.unquote(uri))
|
||||
return uri
|
||||
|
||||
def __call__(self, environ, start_response):
|
||||
"""Manage a request."""
|
||||
log.LOGGER.info("%s request at %s received" % (
|
||||
@ -144,6 +153,10 @@ class Application(object):
|
||||
headers = pprint.pformat(self.headers_log(environ))
|
||||
log.LOGGER.debug("Request headers:\n%s" % headers)
|
||||
|
||||
# Sanitize request URI
|
||||
environ["PATH_INFO"] = self.sanitize_uri(environ["PATH_INFO"])
|
||||
log.LOGGER.debug("Sanitized path: %s", environ["PATH_INFO"])
|
||||
|
||||
# Get content
|
||||
content_length = int(environ.get("CONTENT_LENGTH") or 0)
|
||||
if content_length:
|
||||
|
@ -183,7 +183,8 @@ class Calendar(object):
|
||||
The ``path`` is relative to the storage folder.
|
||||
|
||||
"""
|
||||
attributes = posixpath.normpath(path.strip("/")).split("/")
|
||||
# First do normpath and then strip, to prevent access to FOLDER/../
|
||||
attributes = posixpath.normpath(path).strip("/").split("/")
|
||||
if not attributes:
|
||||
return None
|
||||
if attributes[-1].endswith(".ics"):
|
||||
|
Loading…
Reference in New Issue
Block a user