assert sanitized and stripped paths

2025-09-15 20:36:55 +00:00 · 2018-08-28 16:19:50 +02:00 · 2018-08-28 16:19:50 +02:00 · 5429f5c1a9
commit 5429f5c1a9
parent c08754cf92
19 changed files with 108 additions and 72 deletions
--- a/radicale/app/propfind.py
+++ b/radicale/app/propfind.py
@ -95,9 +95,10 @@ def xml_propfind_response(base_prefix, path, item, props, user, write=False,
    href = ET.Element(xmlutils.make_tag("D", "href"))
    if is_collection:
        # Some clients expect collections to end with /
-        uri = "/%s/" % item.path if item.path else "/"
+        uri = pathutils.unstrip_path(item.path, True)
    else:
-        uri = "/" + posixpath.join(collection.path, item.href)
+        uri = pathutils.unstrip_path(
+            posixpath.join(collection.path, item.href))

    href.text = xmlutils.make_href(base_prefix, uri)
    response.append(href)
@ -335,7 +336,7 @@ class ApplicationPropfindMixin:
        """Get items from request that user is allowed to access."""
        for item in items:
            if isinstance(item, storage.BaseCollection):
-                path = pathutils.sanitize_path("/%s/" % item.path)
+                path = pathutils.unstrip_path(item.path, True)
                if item.get_meta("tag"):
                    permissions = self.Rights.authorized(user, path, "rw")
                    target = "collection with tag %r" % item.path
@ -343,7 +344,7 @@ class ApplicationPropfindMixin:
                    permissions = self.Rights.authorized(user, path, "RW")
                    target = "collection %r" % item.path
            else:
-                path = pathutils.sanitize_path("/%s/" % item.collection.path)
+                path = pathutils.unstrip_path(item.collection.path, True)
                permissions = self.Rights.authorized(user, path, "rw")
                target = "item %r from %r" % (item.href, item.collection.path)
            if rights.intersect_permissions(permissions, "Ww"):