From d5b8ddd71c5b4bf8fd56e91041c5f2cd6da9a276 Mon Sep 17 00:00:00 2001 From: Unrud Date: Sun, 4 Sep 2016 20:19:39 +0200 Subject: [PATCH] Check that name is valid in name_from_path Before it was possible craft XML requests, so that the storage backend got requests with invalid hrefs. --- radicale/xmlutils.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/radicale/xmlutils.py b/radicale/xmlutils.py index 7e91192..b0c5b92 100644 --- a/radicale/xmlutils.py +++ b/radicale/xmlutils.py @@ -423,7 +423,11 @@ def name_from_path(path, collection): start = collection.path + "/" if not path.startswith(start): raise ValueError("'%s' doesn't start with '%s'" % (path, start)) - return path[len(start):].rstrip("/") + name = path[len(start):][:-1] + if name and not storage.is_safe_path_component(name): + raise ValueError("'%s' is not a component in collection '%s'" % + (path, collection.path)) + return name def props_from_request(root, actions=("set", "remove")):