[CalendarServer-changes] [5730] CalendarServer/trunk/twistedcaldav

source_changes at macosforge.org source_changes at macosforge.org
Fri Jun 11 14:12:34 PDT 2010 

Revision: 5730
          http://trac.macosforge.org/projects/calendarserver/changeset/5730
Author:   cdaboo at apple.com
Date:     2010-06-11 14:12:32 -0700 (Fri, 11 Jun 2010)
Log Message:
-----------
Reject per-user data injection.

Modified Paths:
--------------
    CalendarServer/trunk/twistedcaldav/datafilters/peruserdata.py
    CalendarServer/trunk/twistedcaldav/datafilters/test/test_peruserdata.py
    CalendarServer/trunk/twistedcaldav/method/put_common.py

Modified: CalendarServer/trunk/twistedcaldav/datafilters/peruserdata.py
===================================================================
--- CalendarServer/trunk/twistedcaldav/datafilters/peruserdata.py	2010-06-11 21:11:20 UTC (rev 5729)
+++ CalendarServer/trunk/twistedcaldav/datafilters/peruserdata.py	2010-06-11 21:12:32 UTC (rev 5730)
@@ -124,6 +124,11 @@
 
         # Make sure input is valid
         icalnew = self.validCalendar(icalnew)
+        
+        # There cannot be any X-CALENDARSERVER-PERUSER components in the new data
+        for component in tuple(icalnew.subcomponents()):
+            if component.name() == PerUserDataFilter.PERUSER_COMPONENT:
+                raise ValueError("Cannot merge calendar data with X-CALENDARSERVER-PERUSER components in it")
 
         # First split the new data into common and per-user pieces
         self._splitPerUserData(icalnew)

Modified: CalendarServer/trunk/twistedcaldav/datafilters/test/test_peruserdata.py
===================================================================
--- CalendarServer/trunk/twistedcaldav/datafilters/test/test_peruserdata.py	2010-06-11 21:11:20 UTC (rev 5729)
+++ CalendarServer/trunk/twistedcaldav/datafilters/test/test_peruserdata.py	2010-06-11 21:12:32 UTC (rev 5730)
@@ -976,6 +976,35 @@
         for item in (data, Component.fromString(data),):
             self.assertEqual(str(PerUserDataFilter("").merge(item, None)), result02)
 
+    def test_prevent_injection(self):
+        
+        data = """BEGIN:VCALENDAR
+VERSION:2.0
+PRODID:-//CALENDARSERVER.ORG//NONSGML Version 1//EN
+BEGIN:VEVENT
+UID:12345-67890
+DTSTART:20080601T120000Z
+DTEND:20080601T130000Z
+ATTENDEE:mailto:user1 at example.com
+ATTENDEE:mailto:user2 at example.com
+ORGANIZER;CN=User 01:mailto:user1 at example.com
+END:VEVENT
+BEGIN:X-CALENDARSERVER-PERUSER
+UID:12345-67890
+X-CALENDARSERVER-PERUSER-UID:user01
+BEGIN:X-CALENDARSERVER-PERINSTANCE
+END:X-CALENDARSERVER-PERINSTANCE
+END:X-CALENDARSERVER-PERUSER
+END:VCALENDAR
+""".replace("\n", "\r\n")
+        
+        for item in (data, Component.fromString(data),):
+            filter = PerUserDataFilter("user01")
+            self.assertRaises(ValueError, filter.merge, item, None)
+        for item in (data, Component.fromString(data),):
+            filter = PerUserDataFilter("")
+            self.assertRaises(ValueError, filter.merge, item, None)
+
 class PerUserDataMergeTestNewRecurring (twistedcaldav.test.util.TestCase):
 
     def test_public_noperuser(self):

Modified: CalendarServer/trunk/twistedcaldav/method/put_common.py
===================================================================
--- CalendarServer/trunk/twistedcaldav/method/put_common.py	2010-06-11 21:11:20 UTC (rev 5729)
+++ CalendarServer/trunk/twistedcaldav/method/put_common.py	2010-06-11 21:12:32 UTC (rev 5730)
@@ -806,7 +806,12 @@
             # and we should not change it. This is not ideal as we may duplicate it unnecessarily
             # but we currently have no api to let the caller tell us whether it cares about the
             # whether the calendar data is changed or not.
-            self.calendar = PerUserDataFilter(accessUID).merge(self.calendar.duplicate(), oldCal)
+            try:
+                self.calendar = PerUserDataFilter(accessUID).merge(self.calendar.duplicate(), oldCal)
+            except ValueError:
+                msg = "Invalid per-user data merge"
+                log.err(msg)
+                raise HTTPError(ErrorResponse(responsecode.FORBIDDEN, (caldav_namespace, "valid-calendar-data"), description=msg))
             self.calendardata = None
             
     @inlineCallbacks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20100611/479a030c/attachment-0001.html>

More information about the calendarserver-changes mailing list