Skip to content
Permalink
Browse files Browse the repository at this point in the history
Convert component names safely to filenames
Component names are controlled by the user and
without this checks access to arbitrary files is
possible if the multifilesystem backend is used.
  • Loading branch information
Unrud committed Dec 24, 2015
1 parent b4b3d51 commit bcaf452
Showing 1 changed file with 10 additions and 0 deletions.
10 changes: 10 additions & 0 deletions radicale/storage/multifilesystem.py
Expand Up @@ -53,6 +53,11 @@ def write(self):
name = (
component.name if sys.version_info[0] >= 3 else
component.name.encode(filesystem.FILESYSTEM_ENCODING))
if not pathutils.is_safe_filesystem_path_component(name):
log.LOGGER.debug(
"Can't tranlate name safely to filesystem, "
"skipping component: %s", name)
continue
filesystem_path = os.path.join(self._filesystem_path, name)
with filesystem.open(filesystem_path, "w") as fd:
fd.write(text)
Expand All @@ -62,6 +67,11 @@ def delete(self):
os.remove(self._props_path)

def remove(self, name):
if not pathutils.is_safe_filesystem_path_component(name):
log.LOGGER.debug(
"Can't tranlate name safely to filesystem, "
"skipping component: %s", name)
return
filesystem_path = os.path.join(self._filesystem_path, name)
if os.path.exists(filesystem_path):
os.remove(filesystem_path)
Expand Down

0 comments on commit bcaf452

Please sign in to comment.