From ded660df0700c1ffcf24062871420bfe0ad42186 Mon Sep 17 00:00:00 2001 From: Unrud Date: Fri, 16 Jun 2017 23:13:45 +0200 Subject: [PATCH] Don't leak existing user in owner_only rights plugin If a user didn't exist the error message for the principal collection was 404. --- radicale/rights.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/radicale/rights.py b/radicale/rights.py index ddf0792..28c8132 100644 --- a/radicale/rights.py +++ b/radicale/rights.py @@ -116,6 +116,12 @@ class OwnerOnlyRights(BaseRights): permission == "r" and not sane_path or user == sane_path.split("/", maxsplit=1)[0]) + def authorized_item(self, user, path, permission): + sane_path = storage.sanitize_path(path).strip("/") + if "/" not in sane_path: + return False + return super().authorized_item(user, path, permission) + class Rights(BaseRights): def __init__(self, configuration, logger):