[3609] CalendarServer/trunk/twistedcaldav/scheduling/processing.py

Revision: 3609
Author: cdaboo@apple.com
Date: 2009-01-26 08:46:23 -0800 (Mon, 26 Jan 2009)

Log Message

Make sure the ORGANIZER property cannot be faked.

Modified Paths

CalendarServer/trunk/twistedcaldav/scheduling/processing.py

Diff

Modified: CalendarServer/trunk/twistedcaldav/scheduling/processing.py (3608 => 3609)


--- CalendarServer/trunk/twistedcaldav/scheduling/processing.py	2009-01-26 16:43:17 UTC (rev 3608)
+++ CalendarServer/trunk/twistedcaldav/scheduling/processing.py	2009-01-26 16:46:23 UTC (rev 3609)
@@ -25,6 +25,7 @@
 from twistedcaldav.log import Logger
 from twistedcaldav.method import report_common
 from twistedcaldav.scheduling.itip import iTipProcessing, iTIPRequestStatus
+from twistedcaldav.scheduling.cuaddress import normalizeCUAddr
 import datetime
 import time
 
@@ -221,6 +222,16 @@
     @inlineCallbacks
     def doImplicitAttendeeUpdate(self):
         
+        # Do security check: ORGANZIER in iTIP MUST match existing resource value
+        if self.recipient_calendar:
+            existing_organizer = self.recipient_calendar.getOrganizer()
+            existing_organizer = normalizeCUAddr(existing_organizer) if existing_organizer else ""
+            new_organizer = normalizeCUAddr(self.message.getOrganizer())
+            new_organizer = normalizeCUAddr(new_organizer) if new_organizer else ""
+            if existing_organizer != new_organizer:
+                log.debug("ImplicitProcessing - originator '%s' to recipient '%s' ignoring UID: '%s' - organizer has no copy" % (self.originator.cuaddr, self.recipient.cuaddr, self.uid))
+                raise ImplicitProcessorException("5.3;Organizer change not allowed")
+
         # Different based on method
         if self.method == "REQUEST":
             result = (yield self.doImplicitAttendeeRequest())