[Calypso] patches, has_git, parent encoding
chrysn at fsfe.org
Sun Sep 1 04:36:04 PDT 2013
hello calypso developers,
* i have doubts about calypso's security handling of non-normalized
paths; the typical GET /../../../../../etc/passwd kind of issues.
while that very attack does not work, enough ../ paths are flying
around in debug output to make me worried. in particular, the
# unquote, strip off any trailing slash, then clean up /../ and // entries
line in paths.py does *not* clean up /../ components.
i propose that the path handling be reviewed (but can't volunteer
right now for time constraints).
* has_git: since 86bb711f1 (summer 2012), collections are only
recognized if they reside in git anyway. the has_git function in
calypso/webdav.py therefore is only a relic.
which direction should calypso go -- depend on git or make it optional
* deep-in-git collections: i prefer to have many collections (address
books as well as calendars) in a single git repository, ie.
patches to that effect can be found on my branch chrysn/master on
alioth, along with older ones already announced on the list (esp.
meaningful commit messages containing contact name).
to readers who are not involved in debian: there has been a packaging
proposal for calypso in debian , which also contained a few
patches. both the packaging and the patches were uploaded to the debian
version control system [collab-maint/calypso.git], where my suggestions
can be found in the chrysn/master branch, along with a merging of the
proposed patches to calypso 1.1 (in the chryn/from-joe-nahmias branch).
To use raw power is to make yourself infinitely vulnerable to greater powers.
-- Bene Gesserit axiom
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 836 bytes
Desc: Digital signature
More information about the Calypso