assert sanitized and stripped paths

2025-06-26 16:45:52 +00:00 · 2018-08-28 16:19:50 +02:00 · 2018-08-28 16:19:50 +02:00 · 5429f5c1a9
commit 5429f5c1a9
parent c08754cf92
19 changed files with 108 additions and 72 deletions
--- a/radicale/web/none.py
+++ b/radicale/web/none.py
@ -16,11 +16,13 @@

 from http import client

-from radicale import httputils, web
+from radicale import httputils, pathutils, web


 class Web(web.BaseWeb):
    def get(self, environ, base_prefix, path, user):
+        assert path == "/.web" or path.startswith("/.web/")
+        assert pathutils.sanitize_path(path) == path
        if path != "/.web":
            return httputils.NOT_FOUND
        return client.OK, {"Content-Type": "text/plain"}, "Radicale works!"