[CalendarServer-changes] [3609] CalendarServer/trunk/twistedcaldav/scheduling/processing.py

source_changes at macosforge.org source_changes at macosforge.org
Mon Jan 26 08:46:23 PST 2009 

Revision: 3609
          http://trac.macosforge.org/projects/calendarserver/changeset/3609
Author:   cdaboo at apple.com
Date:     2009-01-26 08:46:23 -0800 (Mon, 26 Jan 2009)
Log Message:
-----------
Make sure the ORGANIZER property cannot be faked.

Modified Paths:
--------------
    CalendarServer/trunk/twistedcaldav/scheduling/processing.py

Modified: CalendarServer/trunk/twistedcaldav/scheduling/processing.py
===================================================================
--- CalendarServer/trunk/twistedcaldav/scheduling/processing.py	2009-01-26 16:43:17 UTC (rev 3608)
+++ CalendarServer/trunk/twistedcaldav/scheduling/processing.py	2009-01-26 16:46:23 UTC (rev 3609)
@@ -25,6 +25,7 @@
 from twistedcaldav.log import Logger
 from twistedcaldav.method import report_common
 from twistedcaldav.scheduling.itip import iTipProcessing, iTIPRequestStatus
+from twistedcaldav.scheduling.cuaddress import normalizeCUAddr
 import datetime
 import time
 
@@ -221,6 +222,16 @@
     @inlineCallbacks
     def doImplicitAttendeeUpdate(self):
         
+        # Do security check: ORGANZIER in iTIP MUST match existing resource value
+        if self.recipient_calendar:
+            existing_organizer = self.recipient_calendar.getOrganizer()
+            existing_organizer = normalizeCUAddr(existing_organizer) if existing_organizer else ""
+            new_organizer = normalizeCUAddr(self.message.getOrganizer())
+            new_organizer = normalizeCUAddr(new_organizer) if new_organizer else ""
+            if existing_organizer != new_organizer:
+                log.debug("ImplicitProcessing - originator '%s' to recipient '%s' ignoring UID: '%s' - organizer has no copy" % (self.originator.cuaddr, self.recipient.cuaddr, self.uid))
+                raise ImplicitProcessorException("5.3;Organizer change not allowed")
+
         # Different based on method
         if self.method == "REQUEST":
             result = (yield self.doImplicitAttendeeRequest())
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20090126/02375deb/attachment.html>

More information about the calendarserver-changes mailing list