Revision: 3609 http://trac.macosforge.org/projects/calendarserver/changeset/3609 Author: cdaboo@apple.com Date: 2009-01-26 08:46:23 -0800 (Mon, 26 Jan 2009) Log Message: ----------- Make sure the ORGANIZER property cannot be faked. Modified Paths: -------------- CalendarServer/trunk/twistedcaldav/scheduling/processing.py Modified: CalendarServer/trunk/twistedcaldav/scheduling/processing.py =================================================================== --- CalendarServer/trunk/twistedcaldav/scheduling/processing.py 2009-01-26 16:43:17 UTC (rev 3608) +++ CalendarServer/trunk/twistedcaldav/scheduling/processing.py 2009-01-26 16:46:23 UTC (rev 3609) @@ -25,6 +25,7 @@ from twistedcaldav.log import Logger from twistedcaldav.method import report_common from twistedcaldav.scheduling.itip import iTipProcessing, iTIPRequestStatus +from twistedcaldav.scheduling.cuaddress import normalizeCUAddr import datetime import time @@ -221,6 +222,16 @@ @inlineCallbacks def doImplicitAttendeeUpdate(self): + # Do security check: ORGANZIER in iTIP MUST match existing resource value + if self.recipient_calendar: + existing_organizer = self.recipient_calendar.getOrganizer() + existing_organizer = normalizeCUAddr(existing_organizer) if existing_organizer else "" + new_organizer = normalizeCUAddr(self.message.getOrganizer()) + new_organizer = normalizeCUAddr(new_organizer) if new_organizer else "" + if existing_organizer != new_organizer: + log.debug("ImplicitProcessing - originator '%s' to recipient '%s' ignoring UID: '%s' - organizer has no copy" % (self.originator.cuaddr, self.recipient.cuaddr, self.uid)) + raise ImplicitProcessorException("5.3;Organizer change not allowed") + # Different based on method if self.method == "REQUEST": result = (yield self.doImplicitAttendeeRequest())