assert sanitized and stripped paths

2025-06-26 16:45:52 +00:00 · 2018-08-28 16:19:50 +02:00 · 2018-08-28 16:19:50 +02:00 · 5429f5c1a9
commit 5429f5c1a9
parent c08754cf92
19 changed files with 108 additions and 72 deletions
--- a/radicale/web/internal.py
+++ b/radicale/web/internal.py
@ -48,9 +48,11 @@ class Web(web.BaseWeb):
                                                      "internal_data")

    def get(self, environ, base_prefix, path, user):
+        assert path == "/.web" or path.startswith("/.web/")
+        assert pathutils.sanitize_path(path) == path
        try:
            filesystem_path = pathutils.path_to_filesystem(
-                self.folder, path[len("/.web"):])
+                self.folder, path[len("/.web"):].strip("/"))
        except ValueError as e:
            logger.debug("Web content with unsafe path %r requested: %s",
                         path, e, exc_info=True)