tobias/radicale
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Improve URI sanitation

Browse Source 
The old implementation failed to sanitize URIs
like ".", "..", "../.." or "//"
This commit is contained in:
Unrud 2015-12-24 07:48:14 +01:00
parent c217e5d2ff
commit ee095a463d
1 changed files with 8 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
radicale/__init__.py
View File

@ -177,12 +177,17 @@ class Application(object):
@staticmethod @staticmethod
def sanitize_uri(uri): def sanitize_uri(uri):
"""Unquote and remove /../ to prevent access to other data.""" """Unquote and make absolute to prevent access to other data."""
uri = unquote(uri) uri = unquote(uri)
trailing_slash = "/" if uri.endswith("/") else "" trailing_slash = "/" if uri.endswith("/") else ""
uri = posixpath.normpath(uri) uri = posixpath.normpath(uri)
trailing_slash = "" if uri == "/" else trailing_slash new_uri = "/"
return uri + trailing_slash for part in uri.split("/"):
if not part or part in (".", ".."):
continue
new_uri = posixpath.join(new_uri, part)
trailing_slash = "" if new_uri.endswith("/") else trailing_slash
return new_uri + trailing_slash
def collect_allowed_items(self, items, user): def collect_allowed_items(self, items, user):
"""Get items from request that user is allowed to access.""" """Get items from request that user is allowed to access."""