[CalendarServer-changes] [6585] CalendarServer/trunk/twistedcaldav

source_changes at macosforge.org source_changes at macosforge.org
Tue Nov 9 18:26:07 PST 2010 

Revision: 6585
          http://trac.macosforge.org/projects/calendarserver/changeset/6585
Author:   cdaboo at apple.com
Date:     2010-11-09 18:26:04 -0800 (Tue, 09 Nov 2010)
Log Message:
-----------
Reject data with illegal control characters.

Modified Paths:
--------------
    CalendarServer/trunk/twistedcaldav/ical.py
    CalendarServer/trunk/twistedcaldav/vcard.py

Modified: CalendarServer/trunk/twistedcaldav/ical.py
===================================================================
--- CalendarServer/trunk/twistedcaldav/ical.py	2010-11-10 02:24:23 UTC (rev 6584)
+++ CalendarServer/trunk/twistedcaldav/ical.py	2010-11-10 02:26:04 UTC (rev 6585)
@@ -1409,6 +1409,13 @@
                     "Timezone %s is not referenced by any non-timezone component" % (timezone,)
                 )
 
+        # Arghh - we have to do this AFTER the timezone check because the str(self) call will result in
+        # vobject adding in any missing timezones!
+        # Control character check - only HTAB, CR, LF allowed for characters in the range 0x00-0x1F
+        s = str(self)
+        if len(s.translate(None, "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x0B\x0C\x0E\x0F\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1A\x1B\x1C\x1D\x1E\x1F")) != len(s):
+            raise InvalidICalendarDataError("iCalendar contains illegal control character")
+
     def validOrganizerForScheduling(self):
         """
         Check that the ORGANIZER property is valid for scheduling 

Modified: CalendarServer/trunk/twistedcaldav/vcard.py
===================================================================
--- CalendarServer/trunk/twistedcaldav/vcard.py	2010-11-10 02:24:23 UTC (rev 6584)
+++ CalendarServer/trunk/twistedcaldav/vcard.py	2010-11-10 02:26:04 UTC (rev 6585)
@@ -346,11 +346,18 @@
         if self.name() != "VCARD": raise InvalidVCardDataError("Not a vcard")
 
         version = self.propertyValue("VERSION")
-        if version != "3.0": raise InvalidVCardDataError("Not a version 2.0 vCard (version=%s)" % (version,))
+        if version != "3.0":
+            raise InvalidVCardDataError("Not a version 2.0 vCard (version=%s)" % (version,))
 
         uid = self.propertyValue("UID")
         if uid is None:
             raise InvalidVCardDataError("All vCards must have UIDs")
+        
+        # Control character check - only HTAB, CR, LF allowed for characters in the range 0x00-0x1F
+        s = str(self)
+        if len(s.translate(None, "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x0B\x0C\x0E\x0F\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1A\x1B\x1C\x1D\x1E\x1F")) != len(s):
+            raise InvalidVCardDataError("vCard contains illegal control character")
+        
 
     def transformAllFromNative(self):
         self._vobject = self._vobject.transformFromNative()
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20101109/66ba445f/attachment.html>

More information about the calendarserver-changes mailing list