From 2d170bd41fec93aae9a35dbf68aa6d758f10670d Mon Sep 17 00:00:00 2001
From: Unrud <unrud@openaliasbox.org>
Date: Tue, 7 Mar 2017 17:44:07 +0100
Subject: [PATCH] Check for conflicting file names

On Windows file systems the user "TESTUS~1" can access the data of the user "testuser".
---
 radicale/storage.py | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/radicale/storage.py b/radicale/storage.py
index e38e3c4..e9d954a 100644
--- a/radicale/storage.py
+++ b/radicale/storage.py
@@ -172,7 +172,13 @@ def path_to_filesystem(root, *paths):
         for part in path.split("/"):
             if not is_safe_filesystem_path_component(part):
                 raise UnsafePathError(part)
+            safe_path_parent = safe_path
             safe_path = os.path.join(safe_path, part)
+            # Check for conflicting files (e.g. case-insensitive file systems
+            # or short names on Windows file systems)
+            if os.path.lexists(safe_path):
+                if not part in os.listdir(safe_path_parent):
+                    raise CollidingPathError(part)
     return safe_path
 
 
@@ -182,6 +188,12 @@ class UnsafePathError(ValueError):
         super().__init__(message)
 
 
+class CollidingPathError(ValueError):
+    def __init__(self, path):
+        message = "File name collision: %s" % path
+        super().__init__(message)
+
+
 class ComponentExistsError(ValueError):
     def __init__(self, path):
         message = "Component already exists: %s" % path