diff --git a/radicale/storage.py b/radicale/storage.py index 1dd59a3..79d5edc 100644 --- a/radicale/storage.py +++ b/radicale/storage.py @@ -126,7 +126,8 @@ def is_safe_filesystem_path_component(path): """ return ( path and not os.path.splitdrive(path)[0] and - not os.path.split(path)[0] and path not in (os.curdir, os.pardir)) + not os.path.split(path)[0] and path not in (os.curdir, os.pardir) and + not path.startswith(".") and not path.endswith("~")) def path_to_filesystem(root, *paths): @@ -346,6 +347,10 @@ class Collection(BaseCollection): yield collection.get(item[0]) _, directories, _ = next(os.walk(collection._filesystem_path)) for sub_path in directories: + if not is_safe_filesystem_path_component(sub_path): + cls.logger.debug( + "Skipping collection: %s", sub_path) + continue full_path = os.path.join(collection._filesystem_path, sub_path) if os.path.exists(full_path): yield cls(posixpath.join(path, sub_path)) @@ -395,6 +400,10 @@ class Collection(BaseCollection): return for href in hrefs: + if not is_safe_filesystem_path_component(href): + self.logger.debug( + "Skipping component: %s", href) + continue path = os.path.join(self._filesystem_path, href) if not href.endswith(".props") and os.path.isfile(path): with open(path, encoding=self.storage_encoding) as fd: @@ -567,7 +576,7 @@ class Collection(BaseCollection): cls.configuration.get("storage", "filesystem_folder")) if not os.path.exists(folder): os.makedirs(folder, exist_ok=True) - lock_path = os.path.join(folder, "Radicale.lock") + lock_path = os.path.join(folder, ".Radicale.lock") cls._lock_file = open(lock_path, "w+") # set access rights to a necessary minimum to prevent locking # by arbitrary users