Check that name is valid in name_from_path

Before it was possible craft XML requests, so that the storage backend got requests with invalid hrefs.
This commit is contained in:
Unrud 2016-09-04 20:19:39 +02:00
parent 139076faee
commit d5b8ddd71c

View File

@ -423,7 +423,11 @@ def name_from_path(path, collection):
start = collection.path + "/"
if not path.startswith(start):
raise ValueError("'%s' doesn't start with '%s'" % (path, start))
return path[len(start):].rstrip("/")
name = path[len(start):][:-1]
if name and not storage.is_safe_path_component(name):
raise ValueError("'%s' is not a component in collection '%s'" %
(path, collection.path))
return name
def props_from_request(root, actions=("set", "remove")):