commit
caa4c16dfd
@ -126,7 +126,8 @@ def is_safe_filesystem_path_component(path):
|
|||||||
"""
|
"""
|
||||||
return (
|
return (
|
||||||
path and not os.path.splitdrive(path)[0] and
|
path and not os.path.splitdrive(path)[0] and
|
||||||
not os.path.split(path)[0] and path not in (os.curdir, os.pardir))
|
not os.path.split(path)[0] and path not in (os.curdir, os.pardir) and
|
||||||
|
not path.startswith(".") and not path.endswith("~"))
|
||||||
|
|
||||||
|
|
||||||
def path_to_filesystem(root, *paths):
|
def path_to_filesystem(root, *paths):
|
||||||
@ -346,6 +347,10 @@ class Collection(BaseCollection):
|
|||||||
yield collection.get(item[0])
|
yield collection.get(item[0])
|
||||||
_, directories, _ = next(os.walk(collection._filesystem_path))
|
_, directories, _ = next(os.walk(collection._filesystem_path))
|
||||||
for sub_path in directories:
|
for sub_path in directories:
|
||||||
|
if not is_safe_filesystem_path_component(sub_path):
|
||||||
|
cls.logger.debug(
|
||||||
|
"Skipping collection: %s", sub_path)
|
||||||
|
continue
|
||||||
full_path = os.path.join(collection._filesystem_path, sub_path)
|
full_path = os.path.join(collection._filesystem_path, sub_path)
|
||||||
if os.path.exists(full_path):
|
if os.path.exists(full_path):
|
||||||
yield cls(posixpath.join(path, sub_path))
|
yield cls(posixpath.join(path, sub_path))
|
||||||
@ -395,6 +400,10 @@ class Collection(BaseCollection):
|
|||||||
return
|
return
|
||||||
|
|
||||||
for href in hrefs:
|
for href in hrefs:
|
||||||
|
if not is_safe_filesystem_path_component(href):
|
||||||
|
self.logger.debug(
|
||||||
|
"Skipping component: %s", href)
|
||||||
|
continue
|
||||||
path = os.path.join(self._filesystem_path, href)
|
path = os.path.join(self._filesystem_path, href)
|
||||||
if not href.endswith(".props") and os.path.isfile(path):
|
if not href.endswith(".props") and os.path.isfile(path):
|
||||||
with open(path, encoding=self.storage_encoding) as fd:
|
with open(path, encoding=self.storage_encoding) as fd:
|
||||||
@ -567,7 +576,7 @@ class Collection(BaseCollection):
|
|||||||
cls.configuration.get("storage", "filesystem_folder"))
|
cls.configuration.get("storage", "filesystem_folder"))
|
||||||
if not os.path.exists(folder):
|
if not os.path.exists(folder):
|
||||||
os.makedirs(folder, exist_ok=True)
|
os.makedirs(folder, exist_ok=True)
|
||||||
lock_path = os.path.join(folder, "Radicale.lock")
|
lock_path = os.path.join(folder, ".Radicale.lock")
|
||||||
cls._lock_file = open(lock_path, "w+")
|
cls._lock_file = open(lock_path, "w+")
|
||||||
# set access rights to a necessary minimum to prevent locking
|
# set access rights to a necessary minimum to prevent locking
|
||||||
# by arbitrary users
|
# by arbitrary users
|
||||||
|
Loading…
x
Reference in New Issue
Block a user