mirror of
https://github.com/Kozea/Radicale.git
synced 2025-09-18 20:46:54 +00:00
Prevent unsafe usernames
If an attacker is able to create an account with a username like "user/calendar.ics", he can access collections of other users.
This commit is contained in:
parent
f4ebe3f545
commit
da1a693620
3 changed files with 20 additions and 1 deletions
|
@ -311,7 +311,12 @@ class Application:
|
|||
headers = {"Location": redirect}
|
||||
return response(status, headers)
|
||||
|
||||
is_authenticated = self.is_authenticated(user, password)
|
||||
if user and not storage.is_safe_path_component(user):
|
||||
# Prevent usernames like "user/calendar.ics"
|
||||
self.logger.info("Refused unsafe username: %s", user)
|
||||
is_authenticated = False
|
||||
else:
|
||||
is_authenticated = self.is_authenticated(user, password)
|
||||
is_valid_user = is_authenticated or not user
|
||||
|
||||
# Get content
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue