tobias/radicale
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Don't reject everybody from "/" with owner_only

Browse Source 
Fix 407.
This commit is contained in:
Guillaume Ayoub 2016-08-01 18:59:47 +02:00
parent 6bfdcbafec
commit b517818749
1 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
radicale/rights.py
View File

@ -80,6 +80,10 @@ permission:r
user:.+ user:.+
collection:%(login)s(/.*)? collection:%(login)s(/.*)?
permission:rw permission:rw
[r]
user:.+
collection:
permission:r
"""} """}
@ -108,7 +112,7 @@ class Rights(BaseRights):
if user and not storage.is_safe_path_component(user): if user and not storage.is_safe_path_component(user):
# Prevent usernames like "user/calendar.ics" # Prevent usernames like "user/calendar.ics"
raise ValueError("Unsafe username") raise ValueError("Unsafe username")
collection_url = collection.path.rstrip("/") or "/" collection_url = collection.path.rstrip("/")
if collection_url in (".well-known/carddav", ".well-known/caldav"): if collection_url in (".well-known/carddav", ".well-known/caldav"):
return permission == "r" return permission == "r"
# Prevent "regex injection" # Prevent "regex injection"