tobias/radicale
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Don't leak existing user in owner_only rights plugin

Browse Source 
If a user didn't exist the error message for the principal collection was 404.
This commit is contained in:
Unrud 2017-06-16 23:13:45 +02:00
parent 5669433f58
commit ded660df07
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
radicale/rights.py
View File

@ -116,6 +116,12 @@ class OwnerOnlyRights(BaseRights):
permission == "r" and not sane_path or permission == "r" and not sane_path or
user == sane_path.split("/", maxsplit=1)[0]) user == sane_path.split("/", maxsplit=1)[0])
def authorized_item(self, user, path, permission):
sane_path = storage.sanitize_path(path).strip("/")
if "/" not in sane_path:
return False
return super().authorized_item(user, path, permission)
class Rights(BaseRights): class Rights(BaseRights):
def __init__(self, configuration, logger): def __init__(self, configuration, logger):