[CalendarServer-changes] [5730] CalendarServer/trunk/twistedcaldav
source_changes at macosforge.org
source_changes at macosforge.org
Fri Jun 11 14:12:34 PDT 2010
Revision: 5730
http://trac.macosforge.org/projects/calendarserver/changeset/5730
Author: cdaboo at apple.com
Date: 2010-06-11 14:12:32 -0700 (Fri, 11 Jun 2010)
Log Message:
-----------
Reject per-user data injection.
Modified Paths:
--------------
CalendarServer/trunk/twistedcaldav/datafilters/peruserdata.py
CalendarServer/trunk/twistedcaldav/datafilters/test/test_peruserdata.py
CalendarServer/trunk/twistedcaldav/method/put_common.py
Modified: CalendarServer/trunk/twistedcaldav/datafilters/peruserdata.py
===================================================================
--- CalendarServer/trunk/twistedcaldav/datafilters/peruserdata.py 2010-06-11 21:11:20 UTC (rev 5729)
+++ CalendarServer/trunk/twistedcaldav/datafilters/peruserdata.py 2010-06-11 21:12:32 UTC (rev 5730)
@@ -124,6 +124,11 @@
# Make sure input is valid
icalnew = self.validCalendar(icalnew)
+
+ # There cannot be any X-CALENDARSERVER-PERUSER components in the new data
+ for component in tuple(icalnew.subcomponents()):
+ if component.name() == PerUserDataFilter.PERUSER_COMPONENT:
+ raise ValueError("Cannot merge calendar data with X-CALENDARSERVER-PERUSER components in it")
# First split the new data into common and per-user pieces
self._splitPerUserData(icalnew)
Modified: CalendarServer/trunk/twistedcaldav/datafilters/test/test_peruserdata.py
===================================================================
--- CalendarServer/trunk/twistedcaldav/datafilters/test/test_peruserdata.py 2010-06-11 21:11:20 UTC (rev 5729)
+++ CalendarServer/trunk/twistedcaldav/datafilters/test/test_peruserdata.py 2010-06-11 21:12:32 UTC (rev 5730)
@@ -976,6 +976,35 @@
for item in (data, Component.fromString(data),):
self.assertEqual(str(PerUserDataFilter("").merge(item, None)), result02)
+ def test_prevent_injection(self):
+
+ data = """BEGIN:VCALENDAR
+VERSION:2.0
+PRODID:-//CALENDARSERVER.ORG//NONSGML Version 1//EN
+BEGIN:VEVENT
+UID:12345-67890
+DTSTART:20080601T120000Z
+DTEND:20080601T130000Z
+ATTENDEE:mailto:user1 at example.com
+ATTENDEE:mailto:user2 at example.com
+ORGANIZER;CN=User 01:mailto:user1 at example.com
+END:VEVENT
+BEGIN:X-CALENDARSERVER-PERUSER
+UID:12345-67890
+X-CALENDARSERVER-PERUSER-UID:user01
+BEGIN:X-CALENDARSERVER-PERINSTANCE
+END:X-CALENDARSERVER-PERINSTANCE
+END:X-CALENDARSERVER-PERUSER
+END:VCALENDAR
+""".replace("\n", "\r\n")
+
+ for item in (data, Component.fromString(data),):
+ filter = PerUserDataFilter("user01")
+ self.assertRaises(ValueError, filter.merge, item, None)
+ for item in (data, Component.fromString(data),):
+ filter = PerUserDataFilter("")
+ self.assertRaises(ValueError, filter.merge, item, None)
+
class PerUserDataMergeTestNewRecurring (twistedcaldav.test.util.TestCase):
def test_public_noperuser(self):
Modified: CalendarServer/trunk/twistedcaldav/method/put_common.py
===================================================================
--- CalendarServer/trunk/twistedcaldav/method/put_common.py 2010-06-11 21:11:20 UTC (rev 5729)
+++ CalendarServer/trunk/twistedcaldav/method/put_common.py 2010-06-11 21:12:32 UTC (rev 5730)
@@ -806,7 +806,12 @@
# and we should not change it. This is not ideal as we may duplicate it unnecessarily
# but we currently have no api to let the caller tell us whether it cares about the
# whether the calendar data is changed or not.
- self.calendar = PerUserDataFilter(accessUID).merge(self.calendar.duplicate(), oldCal)
+ try:
+ self.calendar = PerUserDataFilter(accessUID).merge(self.calendar.duplicate(), oldCal)
+ except ValueError:
+ msg = "Invalid per-user data merge"
+ log.err(msg)
+ raise HTTPError(ErrorResponse(responsecode.FORBIDDEN, (caldav_namespace, "valid-calendar-data"), description=msg))
self.calendardata = None
@inlineCallbacks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20100611/479a030c/attachment-0001.html>
More information about the calendarserver-changes
mailing list