Check that name is valid in name_from_path

Before it was possible craft XML requests, so that the storage backend got requests with invalid hrefs.
2016-09-04 20:19:39 +02:00
parent 139076faee
commit d5b8ddd71c
1 changed files with 5 additions and 1 deletions
--- a/radicale/xmlutils.py
+++ b/radicale/xmlutils.py
@@ -423,7 +423,11 @@ def name_from_path(path, collection):
    start = collection.path + "/"
    if not path.startswith(start):
        raise ValueError("'%s' doesn't start with '%s'" % (path, start))
-    return path[len(start):].rstrip("/")
+    name = path[len(start):][:-1]
+    if name and not storage.is_safe_path_component(name):
+        raise ValueError("'%s' is not a component in collection '%s'" %
+                         (path, collection.path))
+    return name


 def props_from_request(root, actions=("set", "remove")):