From 90d82d044c68fcd1287e13c3841307474d9be83f Mon Sep 17 00:00:00 2001 From: Christoph Polcin Date: Wed, 15 Jan 2014 10:39:28 +0100 Subject: [PATCH 1/2] Fix access to collections under certain conditions it was possible to pass the final access control if-clause. the master branch granted access if: if ((read_allowed_items or write_allowed_items) and (not user or auth.is_authenticated(user, password))) or function == self.options or not items: the easy-connect branch from pull request #95 adds: (is_authenticated and function == self.propfind) or the last `or not items` condition levers out the previous authentication and access control. that isn't that big secuity issue because in this case there are no collection and items at all. but "bad" and anonymous users could gather data and information which not destined for them. this commit fixes and simplifies the if-clause. --- radicale/__init__.py | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/radicale/__init__.py b/radicale/__init__.py index c0d762b..329f84e 100644 --- a/radicale/__init__.py +++ b/radicale/__init__.py @@ -284,13 +284,12 @@ class Application(object): self.collect_allowed_items(items, user) is_authenticated = auth.is_authenticated(user, password) + is_valid_user = is_authenticated or not user - if ((read_allowed_items or write_allowed_items) - and (not user or is_authenticated)) or \ - (is_authenticated and function == self.propfind) or \ - function == self.options or not items: - # Collections found, or authenticated PROPFIND request, - # or OPTIONS request, or no items at all + if is_valid_user and ( + (read_allowed_items or write_allowed_items) or + (is_authenticated and function == self.propfind) or + function == self.options): status, headers, answer = function( environ, read_allowed_items, write_allowed_items, content, user) From 3aa992e5181986b87b8ea288b46bdd146930be76 Mon Sep 17 00:00:00 2001 From: Christoph Polcin Date: Wed, 15 Jan 2014 10:44:35 +0100 Subject: [PATCH 2/2] Find collections if necessary --- radicale/__init__.py | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/radicale/__init__.py b/radicale/__init__.py index 329f84e..a036b4e 100644 --- a/radicale/__init__.py +++ b/radicale/__init__.py @@ -264,9 +264,6 @@ class Application(object): path = environ["PATH_INFO"] - # Find collection(s) - items = ical.Collection.from_path(path, environ.get("HTTP_DEPTH", "0")) - # Get function corresponding to method function = getattr(self, environ["REQUEST_METHOD"].lower()) @@ -280,12 +277,17 @@ class Application(object): else: user = password = None - read_allowed_items, write_allowed_items = \ - self.collect_allowed_items(items, user) - is_authenticated = auth.is_authenticated(user, password) is_valid_user = is_authenticated or not user + if is_valid_user: + items = ical.Collection.from_path(path, + environ.get("HTTP_DEPTH", "0")) + read_allowed_items, write_allowed_items = \ + self.collect_allowed_items(items, user) + else: + read_allowed_items, write_allowed_items = None, None + if is_valid_user and ( (read_allowed_items or write_allowed_items) or (is_authenticated and function == self.propfind) or