Merge branch 'master' into lightning
This commit is contained in:
commit
87a4a4e012
@ -31,6 +31,7 @@ should have been included in this package.
|
|||||||
import os
|
import os
|
||||||
import pprint
|
import pprint
|
||||||
import base64
|
import base64
|
||||||
|
import posixpath
|
||||||
import socket
|
import socket
|
||||||
import ssl
|
import ssl
|
||||||
import wsgiref.simple_server
|
import wsgiref.simple_server
|
||||||
@ -38,9 +39,11 @@ import wsgiref.simple_server
|
|||||||
# pylint: disable=F0401
|
# pylint: disable=F0401
|
||||||
try:
|
try:
|
||||||
from http import client, server
|
from http import client, server
|
||||||
|
import urllib.parse as urllib
|
||||||
except ImportError:
|
except ImportError:
|
||||||
import httplib as client
|
import httplib as client
|
||||||
import BaseHTTPServer as server
|
import BaseHTTPServer as server
|
||||||
|
import urllib
|
||||||
# pylint: enable=F0401
|
# pylint: enable=F0401
|
||||||
|
|
||||||
from radicale import acl, config, ical, log, xmlutils
|
from radicale import acl, config, ical, log, xmlutils
|
||||||
@ -137,6 +140,12 @@ class Application(object):
|
|||||||
pass
|
pass
|
||||||
raise UnicodeDecodeError
|
raise UnicodeDecodeError
|
||||||
|
|
||||||
|
@staticmethod
|
||||||
|
def sanitize_uri(uri):
|
||||||
|
"""Clean URI: unquote and remove /../ to prevent access to other data."""
|
||||||
|
uri = posixpath.normpath(urllib.unquote(uri))
|
||||||
|
return uri
|
||||||
|
|
||||||
def __call__(self, environ, start_response):
|
def __call__(self, environ, start_response):
|
||||||
"""Manage a request."""
|
"""Manage a request."""
|
||||||
log.LOGGER.info("%s request at %s received" % (
|
log.LOGGER.info("%s request at %s received" % (
|
||||||
@ -144,6 +153,10 @@ class Application(object):
|
|||||||
headers = pprint.pformat(self.headers_log(environ))
|
headers = pprint.pformat(self.headers_log(environ))
|
||||||
log.LOGGER.debug("Request headers:\n%s" % headers)
|
log.LOGGER.debug("Request headers:\n%s" % headers)
|
||||||
|
|
||||||
|
# Sanitize request URI
|
||||||
|
environ["PATH_INFO"] = self.sanitize_uri(environ["PATH_INFO"])
|
||||||
|
log.LOGGER.debug("Sanitized path: %s", environ["PATH_INFO"])
|
||||||
|
|
||||||
# Get content
|
# Get content
|
||||||
content_length = int(environ.get("CONTENT_LENGTH") or 0)
|
content_length = int(environ.get("CONTENT_LENGTH") or 0)
|
||||||
if content_length:
|
if content_length:
|
||||||
|
@ -183,7 +183,8 @@ class Calendar(object):
|
|||||||
The ``path`` is relative to the storage folder.
|
The ``path`` is relative to the storage folder.
|
||||||
|
|
||||||
"""
|
"""
|
||||||
attributes = posixpath.normpath(path.strip("/")).split("/")
|
# First do normpath and then strip, to prevent access to FOLDER/../
|
||||||
|
attributes = posixpath.normpath(path).strip("/").split("/")
|
||||||
if not attributes:
|
if not attributes:
|
||||||
return None
|
return None
|
||||||
if attributes[-1].endswith(".ics"):
|
if attributes[-1].endswith(".ics"):
|
||||||
|
Loading…
Reference in New Issue
Block a user