Prevent unsafe usernames

If an attacker is able to create an account with a username like "user/calendar.ics", he can access collections of other users.
2016-08-01 09:10:23 +02:00
parent f4ebe3f545
commit da1a693620
3 changed files with 20 additions and 1 deletions
--- a/radicale/init.py
+++ b/radicale/init.py
@@ -311,7 +311,12 @@ class Application:
                headers = {"Location": redirect}
            return response(status, headers)

-        is_authenticated = self.is_authenticated(user, password)
+        if user and not storage.is_safe_path_component(user):
+            # Prevent usernames like "user/calendar.ics"
+            self.logger.info("Refused unsafe username: %s", user)
+            is_authenticated = False
+        else:
+            is_authenticated = self.is_authenticated(user, password)
        is_valid_user = is_authenticated or not user

        # Get content