Check for bad paths

daemon.py

@@ -16701,7 +16701,17 @@ class PubServer(BaseHTTPRequestHandler):
             return True
         return False
 
+    def _check_bad_path(self):
+        if '..' in self.path or '%2e%2e' in self.path or '%2E%2E' in self.path:
+            print('WARN: bad path ' + self.path)
+            self._400()
+            return True
+        return False
+
     def do_GET(self):
+        if self._check_bad_path():
+            return
+
         calling_domain = self.server.domain_full
 
         if self.headers.get('Host'):
@@ -20439,18 +20449,33 @@ class PubServer(BaseHTTPRequestHandler):
         self._200()
 
     def do_PROPFIND(self):
+        if self._check_bad_path():
+            return
+
         self._dav_handler('propfind', self.server.debug)
 
     def do_PUT(self):
+        if self._check_bad_path():
+            return
+
         self._dav_handler('put', self.server.debug)
 
     def do_REPORT(self):
+        if self._check_bad_path():
+            return
+
         self._dav_handler('report', self.server.debug)
 
     def do_DELETE(self):
+        if self._check_bad_path():
+            return
+
         self._dav_handler('delete', self.server.debug)
 
     def do_HEAD(self):
+        if self._check_bad_path():
+            return
+
         calling_domain = self.server.domain_full
         if self.headers.get('Host'):
             calling_domain = decoded_host(self.headers['Host'])
@@ -22081,6 +22106,9 @@ class PubServer(BaseHTTPRequestHandler):
             self._400()
 
     def do_POST(self):
+        if self._check_bad_path():
+            return
+
         proxy_type = self.server.proxy_type
         postreq_start_time = time.time()