Revision: 15783 http://trac.calendarserver.org//changeset/15783 Author: cdaboo@apple.com Date: 2016-08-03 11:01:01 -0700 (Wed, 03 Aug 2016) Log Message: ----------- Make sure illegal characters in attachment file names are stripped. Modified Paths: -------------- CalendarServer/trunk/txdav/caldav/datastore/sql.py CalendarServer/trunk/txdav/caldav/datastore/test/test_attachments.py Modified: CalendarServer/trunk/txdav/caldav/datastore/sql.py =================================================================== --- CalendarServer/trunk/txdav/caldav/datastore/sql.py 2016-08-02 23:37:13 UTC (rev 15782) +++ CalendarServer/trunk/txdav/caldav/datastore/sql.py 2016-08-03 18:01:01 UTC (rev 15783) @@ -4895,6 +4895,11 @@ # Check validity of request yield self._checkValidManagedAttachmentChange() + # Protect against invalid file names + if isinstance(filename, unicode): + filename = filename.encode("utf-8") + filename = filename.translate(None, "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x0B\x0C\x0E\x0F\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1A\x1B\x1C\x1D\x1E\x1F") + # First write the data stream # We need to know the resource_ID of the home collection of the owner @@ -4949,6 +4954,11 @@ # Check validity of request yield self._checkValidManagedAttachmentChange() + # Protect against invalid file names + if isinstance(filename, unicode): + filename = filename.encode("utf-8") + filename = filename.translate(None, "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x0B\x0C\x0E\x0F\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1A\x1B\x1C\x1D\x1E\x1F") + # First check the supplied managed-id is associated with this resource cobjs = (yield ManagedAttachment.referencesTo(self._txn, managed_id)) if self._resourceID not in cobjs: Modified: CalendarServer/trunk/txdav/caldav/datastore/test/test_attachments.py =================================================================== --- CalendarServer/trunk/txdav/caldav/datastore/test/test_attachments.py 2016-08-02 23:37:13 UTC (rev 15782) +++ CalendarServer/trunk/txdav/caldav/datastore/test/test_attachments.py 2016-08-03 18:01:01 UTC (rev 15783) @@ -1495,7 +1495,57 @@ self.assertEquals(data, "new attachment text") + @inlineCallbacks + def test_validFilename(self): + """ + L{CalendarObject.addAttachment} will remove any invalid characters from the supplied file name. + """ + # Create attachment + obj = yield self.calendarObjectUnderTest() + attachment, _ignore_location = yield obj.addAttachment(None, MimeType("text", "x-fixture"), "new\x1F.attachment", MemoryStream("new attachment text")) + self.assertEqual(attachment.name(), "new.attachment") + yield self.commit() + + # Verify parameters exist + obj = yield self.calendarObjectUnderTest() + component = yield obj.componentForUser() + attachments = component.getAllPropertiesInAnyComponent("ATTACH", depth=1,) + self.assertEqual(len(attachments), 1) + attach = attachments[0] + managed_id = attach.parameterValue("MANAGED-ID") + fmttype = attach.parameterValue("FMTTYPE") + filename = attach.parameterValue("FILENAME") + size = attach.parameterValue("SIZE") + + self.assertEqual(fmttype, "text/x-fixture") + self.assertEqual(filename, "new.attachment") + self.assertEqual(int(size), 19) + yield self.commit() + + # Update attachment + obj = yield self.calendarObjectUnderTest() + attachment, _ignore_location = yield obj.updateAttachment(managed_id, MimeType("text", "x-fixture"), "updated\x1F.attachment", MemoryStream("updated attachment text")) + self.assertEqual(attachment.name(), "updated.attachment") + yield self.commit() + + # Verify parameters exist + obj = yield self.calendarObjectUnderTest() + component = yield obj.componentForUser() + attachments = component.getAllPropertiesInAnyComponent("ATTACH", depth=1,) + self.assertEqual(len(attachments), 1) + attach = attachments[0] + managed_id = attach.parameterValue("MANAGED-ID") + fmttype = attach.parameterValue("FMTTYPE") + filename = attach.parameterValue("FILENAME") + size = attach.parameterValue("SIZE") + + self.assertEqual(fmttype, "text/x-fixture") + self.assertEqual(filename, "updated.attachment") + self.assertEqual(int(size), 23) + yield self.commit() + + now = DateTime.getToday().getYear() PLAIN_ICS = """BEGIN:VCALENDAR