Просмотр исходного кода

Convert component names safely to filenames
Component names are controlled by the user and
without this checks access to arbitrary files is
possible if the multifilesystem backend is used.

Unrud 10 лет назад
Родитель
Сommit
bcaf452e51
1 измененных файлов с 10 добавлено и 0 удалено
  1. 10 0
      radicale/storage/multifilesystem.py

+ 10 - 0
radicale/storage/multifilesystem.py

@@ -53,6 +53,11 @@ class Collection(filesystem.Collection):
             name = (
                 component.name if sys.version_info[0] >= 3 else
                 component.name.encode(filesystem.FILESYSTEM_ENCODING))
+            if not pathutils.is_safe_filesystem_path_component(name):
+                log.LOGGER.debug(
+                    "Can't tranlate name safely to filesystem, "
+                    "skipping component: %s", name)
+                continue
             filesystem_path = os.path.join(self._filesystem_path, name)
             with filesystem.open(filesystem_path, "w") as fd:
                 fd.write(text)
@@ -62,6 +67,11 @@ class Collection(filesystem.Collection):
         os.remove(self._props_path)
 
     def remove(self, name):
+        if not pathutils.is_safe_filesystem_path_component(name):
+            log.LOGGER.debug(
+                "Can't tranlate name safely to filesystem, "
+                "skipping component: %s", name)
+            return
         filesystem_path = os.path.join(self._filesystem_path, name)
         if os.path.exists(filesystem_path):
             os.remove(filesystem_path)