Merge branch 'master' into lightning

This commit is contained in:
Guillaume Ayoub 2011-06-15 23:22:49 +02:00
commit 87a4a4e012
2 changed files with 15 additions and 1 deletions

View File

@ -31,6 +31,7 @@ should have been included in this package.
import os import os
import pprint import pprint
import base64 import base64
import posixpath
import socket import socket
import ssl import ssl
import wsgiref.simple_server import wsgiref.simple_server
@ -38,9 +39,11 @@ import wsgiref.simple_server
# pylint: disable=F0401 # pylint: disable=F0401
try: try:
from http import client, server from http import client, server
import urllib.parse as urllib
except ImportError: except ImportError:
import httplib as client import httplib as client
import BaseHTTPServer as server import BaseHTTPServer as server
import urllib
# pylint: enable=F0401 # pylint: enable=F0401
from radicale import acl, config, ical, log, xmlutils from radicale import acl, config, ical, log, xmlutils
@ -137,6 +140,12 @@ class Application(object):
pass pass
raise UnicodeDecodeError raise UnicodeDecodeError
@staticmethod
def sanitize_uri(uri):
"""Clean URI: unquote and remove /../ to prevent access to other data."""
uri = posixpath.normpath(urllib.unquote(uri))
return uri
def __call__(self, environ, start_response): def __call__(self, environ, start_response):
"""Manage a request.""" """Manage a request."""
log.LOGGER.info("%s request at %s received" % ( log.LOGGER.info("%s request at %s received" % (
@ -144,6 +153,10 @@ class Application(object):
headers = pprint.pformat(self.headers_log(environ)) headers = pprint.pformat(self.headers_log(environ))
log.LOGGER.debug("Request headers:\n%s" % headers) log.LOGGER.debug("Request headers:\n%s" % headers)
# Sanitize request URI
environ["PATH_INFO"] = self.sanitize_uri(environ["PATH_INFO"])
log.LOGGER.debug("Sanitized path: %s", environ["PATH_INFO"])
# Get content # Get content
content_length = int(environ.get("CONTENT_LENGTH") or 0) content_length = int(environ.get("CONTENT_LENGTH") or 0)
if content_length: if content_length:

View File

@ -183,7 +183,8 @@ class Calendar(object):
The ``path`` is relative to the storage folder. The ``path`` is relative to the storage folder.
""" """
attributes = posixpath.normpath(path.strip("/")).split("/") # First do normpath and then strip, to prevent access to FOLDER/../
attributes = posixpath.normpath(path).strip("/").split("/")
if not attributes: if not attributes:
return None return None
if attributes[-1].endswith(".ics"): if attributes[-1].endswith(".ics"):