[Calypso] patches, has_git, parent encoding

chrysn chrysn at fsfe.org
Sun Sep 1 04:36:04 PDT 2013 

hello calypso developers,

* i have doubts about calypso's security handling of non-normalized
  paths; the typical GET /../../../../../etc/passwd kind of issues.

  while that very attack does not work, enough ../ paths are flying
  around in debug output to make me worried. in particular, the

  # unquote, strip off any trailing slash, then clean up /../ and // entries

  line in paths.py does *not* clean up /../ components.

  i propose that the path handling be reviewed (but can't volunteer
  right now for time constraints).

* has_git: since 86bb711f1 (summer 2012), collections are only
  recognized if they reside in git anyway. the has_git function in
  calypso/webdav.py therefore is only a relic.

  which direction should calypso go -- depend on git or make it optional
  again?

* deep-in-git collections: i prefer to have many collections (address
  books as well as calendars) in a single git repository, ie.
  ~/.config/calypso/calendars/.git and
  ~/.config/calypso/calendards/{chrysn,...}/{calendar,addresses}.

  patches to that effect can be found on my branch chrysn/master on
  alioth, along with older ones already announced on the list (esp.
  meaningful commit messages containing contact name).

to readers who are not involved in debian: there has been a packaging
proposal for calypso in debian [683791], which also contained a few
patches. both the packaging and the patches were uploaded to the debian
version control system [collab-maint/calypso.git], where my suggestions
can be found in the chrysn/master branch, along with a merging of the
proposed patches to calypso 1.1 (in the chryn/from-joe-nahmias branch).

best regards
chrysn

[683791]: http://bugs.debian.org/683791
[collab-maint/calypso.git]: http://anonscm.debian.org/gitweb/?p=collab-maint/calypso.git;a=summary

-- 
To use raw power is to make yourself infinitely vulnerable to greater powers.
  -- Bene Gesserit axiom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: </pipermail/calypso/attachments/20130901/91278cdd/attachment.sig>

More information about the Calypso mailing list