From 0bda305948ab1b4343b18795d607f31943479cc9 Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@libreserver.org>
Date: Mon, 23 Jan 2023 21:22:22 +0000
Subject: [PATCH 1/2] Check for bad paths

---
 daemon.py | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/daemon.py b/daemon.py
index 5202e73e4..817b7c00d 100644
--- a/daemon.py
+++ b/daemon.py
@@ -16701,7 +16701,17 @@ class PubServer(BaseHTTPRequestHandler):
             return True
         return False
 
+    def _check_bad_path(self):
+        if '..' in self.path or '%2e%2e' in self.path or '%2E%2E' in self.path:
+            print('WARN: bad path ' + self.path)
+            self._400()
+            return True
+        return False
+
     def do_GET(self):
+        if self._check_bad_path():
+            return
+
         calling_domain = self.server.domain_full
 
         if self.headers.get('Host'):
@@ -20439,18 +20449,33 @@ class PubServer(BaseHTTPRequestHandler):
         self._200()
 
     def do_PROPFIND(self):
+        if self._check_bad_path():
+            return
+
         self._dav_handler('propfind', self.server.debug)
 
     def do_PUT(self):
+        if self._check_bad_path():
+            return
+
         self._dav_handler('put', self.server.debug)
 
     def do_REPORT(self):
+        if self._check_bad_path():
+            return
+
         self._dav_handler('report', self.server.debug)
 
     def do_DELETE(self):
+        if self._check_bad_path():
+            return
+
         self._dav_handler('delete', self.server.debug)
 
     def do_HEAD(self):
+        if self._check_bad_path():
+            return
+
         calling_domain = self.server.domain_full
         if self.headers.get('Host'):
             calling_domain = decoded_host(self.headers['Host'])
@@ -22081,6 +22106,9 @@ class PubServer(BaseHTTPRequestHandler):
             self._400()
 
     def do_POST(self):
+        if self._check_bad_path():
+            return
+
         proxy_type = self.server.proxy_type
         postreq_start_time = time.time()
 

From bb9af5b86050511d1f940fa8adc8959b16922b4b Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@libreserver.org>
Date: Mon, 23 Jan 2023 23:18:03 +0000
Subject: [PATCH 2/2] Extra bad path

---
 daemon.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/daemon.py b/daemon.py
index 817b7c00d..0f5b65e4a 100644
--- a/daemon.py
+++ b/daemon.py
@@ -16702,7 +16702,10 @@ class PubServer(BaseHTTPRequestHandler):
         return False
 
     def _check_bad_path(self):
-        if '..' in self.path or '%2e%2e' in self.path or '%2E%2E' in self.path:
+        path_lower = self.path.lower()
+        if '..' in path_lower or \
+           '%2e%2e' in path_lower or \
+           '%252e%252e' in path_lower:
             print('WARN: bad path ' + self.path)
             self._400()
             return True