Prevent unsafe usernames

If an attacker is able to create an account with a username like "user/calendar.ics", he can access collections of other users.

radicale/rights.py

@@ -43,6 +43,8 @@ from configparser import ConfigParser
 from importlib import import_module
 from io import StringIO
 
+from . import storage
+
 
 def load(configuration, logger):
     """Load the rights manager chosen in configuration."""
@@ -103,6 +105,9 @@ class Rights(BaseRights):
 
     def authorized(self, user, collection, permission):
         user = user or ''
+        if user and not storage.is_safe_path_component(user):
+            # Prevent usernames like "user/calendar.ics"
+            raise ValueError("Unsafe username")
         collection_url = collection.path.rstrip("/") or "/"
         if collection_url in (".well-known/carddav", ".well-known/caldav"):
             return permission == "r"