From ee095a463d997eed30232e4a8e25ca3ef2acea1a Mon Sep 17 00:00:00 2001
From: Unrud <unrud@openaliasbox.org>
Date: Thu, 24 Dec 2015 07:48:14 +0100
Subject: [PATCH] Improve URI sanitation The old implementation failed to
 sanitize URIs like ".", "..", "../.." or "//"

---
 radicale/__init__.py | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/radicale/__init__.py b/radicale/__init__.py
index df3ca9d..7ff04d8 100644
--- a/radicale/__init__.py
+++ b/radicale/__init__.py
@@ -177,12 +177,17 @@ class Application(object):
 
     @staticmethod
     def sanitize_uri(uri):
-        """Unquote and remove /../ to prevent access to other data."""
+        """Unquote and make absolute to prevent access to other data."""
         uri = unquote(uri)
         trailing_slash = "/" if uri.endswith("/") else ""
         uri = posixpath.normpath(uri)
-        trailing_slash = "" if uri == "/" else trailing_slash
-        return uri + trailing_slash
+        new_uri = "/"
+        for part in uri.split("/"):
+            if not part or part in (".", ".."):
+                continue
+            new_uri = posixpath.join(new_uri, part)
+        trailing_slash = "" if new_uri.endswith("/") else trailing_slash
+        return new_uri + trailing_slash
 
     def collect_allowed_items(self, items, user):
         """Get items from request that user is allowed to access."""