[CalendarServer-changes] [4944] CalendarServer/branches/users/wsanchez/deployment/twistedcaldav/ method/copymove.py

source_changes at macosforge.org source_changes at macosforge.org
Wed Jan 20 11:28:12 PST 2010 

Revision: 4944
          http://trac.macosforge.org/projects/calendarserver/changeset/4944
Author:   cdaboo at apple.com
Date:     2010-01-20 11:28:11 -0800 (Wed, 20 Jan 2010)
Log Message:
-----------
Make sure COPY/MOVE Destination URIs can be either of http or https types.

Modified Paths:
--------------
    CalendarServer/branches/users/wsanchez/deployment/twistedcaldav/method/copymove.py

Modified: CalendarServer/branches/users/wsanchez/deployment/twistedcaldav/method/copymove.py
===================================================================
--- CalendarServer/branches/users/wsanchez/deployment/twistedcaldav/method/copymove.py	2010-01-20 19:27:20 UTC (rev 4943)
+++ CalendarServer/branches/users/wsanchez/deployment/twistedcaldav/method/copymove.py	2010-01-20 19:28:11 UTC (rev 4944)
@@ -28,9 +28,10 @@
 from twisted.web2.dav import davxml
 from twisted.web2.dav.http import ErrorResponse
 from twisted.web2.dav.util import parentForURL
-from twisted.web2.http import StatusResponse, HTTPError
+from twisted.web2.http import StatusResponse, HTTPError, splitHostPort
 
 from twistedcaldav.caldavxml import caldav_namespace
+from twistedcaldav.config import config
 from twistedcaldav.method.put_common import storeCalendarObjectResource
 from twistedcaldav.resource import isCalendarCollectionResource
 from twistedcaldav.log import Logger
@@ -252,6 +253,27 @@
         log.err(msg)
         raise HTTPError(StatusResponse(responsecode.BAD_REQUEST, msg))
     
+    # Make sure it is a valid resource URI, but strip off the scheme:host details
+    (scheme, host, path, query, fragment) = urlsplit(destination_uri)
+    if query or fragment:
+        raise HTTPError(StatusResponse(
+            responsecode.BAD_REQUEST,
+            "URL may not contain a query or fragment: %s" % (destination_uri,)
+        ))
+    if scheme and scheme not in ("http", "https",):
+        raise HTTPError(StatusResponse(
+            responsecode.BAD_GATEWAY,
+            "URL is not on this site (%s://%s/): %s" % (request.scheme, request.headers.getHeader("host"), destination_uri)
+        ))
+    elif host:
+        host, port = splitHostPort(scheme, host)
+        if host != config.ServerHostName or port not in (config.HTTPPort, config.SSLPort,):
+            raise HTTPError(StatusResponse(
+                responsecode.BAD_GATEWAY,
+                "URL is not on this site (%s://%s/): %s" % (request.scheme, request.headers.getHeader("host"), destination_uri)
+            ))
+    destination_uri = path
+
     destination = waitForDeferred(request.locateResource(destination_uri))
     yield destination
     destination = destination.getResult()
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20100120/76731441/attachment-0001.html>

More information about the calendarserver-changes mailing list