From 5dbf9df8765a17814c0e47fab1b188d570e6a376 Mon Sep 17 00:00:00 2001
From: Unrud <unrud@openaliasbox.org>
Date: Sun, 4 Sep 2016 13:09:10 +0200
Subject: [PATCH] Add missing checks for safe fileystem components

Currently it's not possible to exploit these.
---
 radicale/storage.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/radicale/storage.py b/radicale/storage.py
index 0b0d570c..95293ab7 100644
--- a/radicale/storage.py
+++ b/radicale/storage.py
@@ -584,6 +584,8 @@ class Collection(BaseCollection):
         """
         fs = []
         for href, item in vobject_items.items():
+            if not is_safe_filesystem_path_component(href):
+                raise UnsafePathError(href)
             path = path_to_filesystem(self._filesystem_path, href)
             fs.append(open(path, "w", encoding=self.encoding, newline=""))
             fs[-1].write(item.serialize())
@@ -595,6 +597,8 @@ class Collection(BaseCollection):
 
     @classmethod
     def move(cls, item, to_collection, to_href):
+        if not is_safe_filesystem_path_component(to_href):
+            raise UnsafePathError(to_href)
         os.replace(
             path_to_filesystem(item.collection._filesystem_path, item.href),
             path_to_filesystem(to_collection._filesystem_path, to_href))