Merge pull request #450 from Unrud/safeusernames

Prevent unsafe usernames
2025-08-10 18:40:53 +00:00 · 2016-08-01 12:14:40 +02:00 · 2016-08-01 12:14:40 +02:00 · 9d3086427d
commit 9d3086427d
parent 605e21494d da1a693620
3 changed files with 20 additions and 1 deletions
--- a/radicale/rights.py
+++ b/radicale/rights.py
@ -43,6 +43,8 @@ from configparser import ConfigParser
 from importlib import import_module
 from io import StringIO

+from . import storage
+

 def load(configuration, logger):
    """Load the rights manager chosen in configuration."""
@ -103,6 +105,9 @@ class Rights(BaseRights):

    def authorized(self, user, collection, permission):
        user = user or ''
+        if user and not storage.is_safe_path_component(user):
+            # Prevent usernames like "user/calendar.ics"
+            raise ValueError("Unsafe username")
        collection_url = collection.path.rstrip("/") or "/"
        if collection_url in (".well-known/carddav", ".well-known/caldav"):
            return permission == "r"