[CalendarServer-changes] [8370] CalendarServer/trunk

source_changes at macosforge.org source_changes at macosforge.org
Fri Dec 2 11:28:24 PST 2011 

Revision: 8370
          http://trac.macosforge.org/projects/calendarserver/changeset/8370
Author:   cdaboo at apple.com
Date:     2011-12-02 11:28:24 -0800 (Fri, 02 Dec 2011)
Log Message:
-----------
Disable Depth:infinity PROPFINDs.

Modified Paths:
--------------
    CalendarServer/trunk/twext/web2/dav/element/rfc2518.py
    CalendarServer/trunk/twext/web2/dav/method/propfind.py
    CalendarServer/trunk/twistedcaldav/method/propfind.py
    CalendarServer/trunk/twistedcaldav/test/test_props.py
    CalendarServer/trunk/twistedcaldav/test/test_schedule.py

Modified: CalendarServer/trunk/twext/web2/dav/element/rfc2518.py
===================================================================
--- CalendarServer/trunk/twext/web2/dav/element/rfc2518.py	2011-12-02 19:26:15 UTC (rev 8369)
+++ CalendarServer/trunk/twext/web2/dav/element/rfc2518.py	2011-12-02 19:28:24 UTC (rev 8370)
@@ -1,5 +1,5 @@
 ##
-# Copyright (c) 2005 Apple Computer, Inc. All rights reserved.
+# Copyright (c) 2005-2011 Apple Computer, Inc. All rights reserved.
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -574,3 +574,11 @@
     protected = True
 
     allowed_children = { (dav_namespace, "lockentry"): (0, None) }
+
+# Pre-conditions codes defined in RFC4918
+
+class PropfindFiniteDepth (WebDAVEmptyElement):
+    """
+    Error which indicates Depth:infinity PROPFIND not allowed
+    """
+    name = "propfind-finite-depth"

Modified: CalendarServer/trunk/twext/web2/dav/method/propfind.py
===================================================================
--- CalendarServer/trunk/twext/web2/dav/method/propfind.py	2011-12-02 19:26:15 UTC (rev 8369)
+++ CalendarServer/trunk/twext/web2/dav/method/propfind.py	2011-12-02 19:28:24 UTC (rev 8370)
@@ -1,6 +1,6 @@
 # -*- test-case-name: twext.web2.dav.test.test_prop.PROP.test_PROPFIND -*-
 ##
-# Copyright (c) 2005 Apple Computer, Inc. All rights reserved.
+# Copyright (c) 2005-2011 Apple Computer, Inc. All rights reserved.
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -40,7 +40,8 @@
 from twext.web2 import responsecode
 from twext.web2.http import StatusResponse
 from twext.web2.dav import davxml
-from twext.web2.dav.http import MultiStatusResponse, statusForFailure
+from twext.web2.dav.http import MultiStatusResponse, statusForFailure,\
+    ErrorResponse
 from twext.web2.dav.util import normalizeURL, davXMLFromStream
 
 log = Logger()
@@ -106,6 +107,10 @@
     #
     request_uri = request.uri
     depth = request.headers.getHeader("depth", "infinity")
+    
+    # By policy we will never allow a depth:infinity propfind
+    if depth == "infinity":
+        raise HTTPError(ErrorResponse(responsecode.FORBIDDEN, davxml.PropfindFiniteDepth()))
 
     xml_responses = []
 

Modified: CalendarServer/trunk/twistedcaldav/method/propfind.py
===================================================================
--- CalendarServer/trunk/twistedcaldav/method/propfind.py	2011-12-02 19:26:15 UTC (rev 8369)
+++ CalendarServer/trunk/twistedcaldav/method/propfind.py	2011-12-02 19:28:24 UTC (rev 8370)
@@ -1,6 +1,6 @@
 # -*- test-case-name: twext.web2.dav.test.test_prop.PROP.test_PROPFIND -*-
 ##
-# Copyright (c) 2005-2008 Apple Computer, Inc. All rights reserved.
+# Copyright (c) 2005-2011 Apple Computer, Inc. All rights reserved.
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -33,7 +33,8 @@
 from twext.web2 import responsecode
 from twext.web2.http import StatusResponse
 from twext.web2.dav import davxml
-from twext.web2.dav.http import MultiStatusResponse, statusForFailure
+from twext.web2.dav.http import MultiStatusResponse, statusForFailure,\
+    ErrorResponse
 from twext.web2.dav.util import normalizeURL, davXMLFromStream
 
 from twext.python.log import Logger
@@ -103,6 +104,10 @@
     request_uri = request.uri
     depth = request.headers.getHeader("depth", "infinity")
 
+    # By policy we will never allow a depth:infinity propfind
+    if depth == "infinity":
+        raise HTTPError(ErrorResponse(responsecode.FORBIDDEN, davxml.PropfindFiniteDepth()))
+
     xml_responses = []
 
     # FIXME: take advantage of the new generative properties of findChildren

Modified: CalendarServer/trunk/twistedcaldav/test/test_props.py
===================================================================
--- CalendarServer/trunk/twistedcaldav/test/test_props.py	2011-12-02 19:26:15 UTC (rev 8369)
+++ CalendarServer/trunk/twistedcaldav/test/test_props.py	2011-12-02 19:28:24 UTC (rev 8370)
@@ -1,5 +1,5 @@
 ##
-# Copyright (c) 2005-2007 Apple Inc. All rights reserved.
+# Copyright (c) 2005-2011 Apple Inc. All rights reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -18,7 +18,7 @@
 
 import os
 
-from twext.web2 import responsecode
+from twext.web2 import responsecode, http_headers
 from twext.web2.iweb import IResponse
 from twext.web2.dav import davxml
 from twext.web2.dav.util import davXMLFromStream
@@ -134,7 +134,12 @@
                         ),
                     )
 
-            request = SimpleRequest(self.site, "PROPFIND", calendar_uri)
+            request = SimpleRequest(
+                self.site,
+                "PROPFIND",
+                calendar_uri,
+                headers=http_headers.Headers({"Depth":"0"}),
+            )
             request.stream = MemoryStream(query.toxml())
             return self.send(request, propfind_cb)
 
@@ -200,7 +205,12 @@
                         davxml.AllProperties(),
                     )
 
-            request = SimpleRequest(self.site, "PROPFIND", calendar_uri)
+            request = SimpleRequest(
+                self.site,
+                "PROPFIND",
+                calendar_uri,
+                headers=http_headers.Headers({"Depth":"0"}),
+            )
             request.stream = MemoryStream(query.toxml())
             return self.send(request, propfind_cb)
 

Modified: CalendarServer/trunk/twistedcaldav/test/test_schedule.py
===================================================================
--- CalendarServer/trunk/twistedcaldav/test/test_schedule.py	2011-12-02 19:26:15 UTC (rev 8369)
+++ CalendarServer/trunk/twistedcaldav/test/test_schedule.py	2011-12-02 19:28:24 UTC (rev 8370)
@@ -14,7 +14,7 @@
 # limitations under the License.
 ##
 
-from twext.web2 import responsecode
+from twext.web2 import responsecode, http_headers
 from twext.web2.dav import davxml
 from twext.web2.dav.util import davXMLFromStream
 from twext.web2.http import HTTPError
@@ -79,7 +79,12 @@
                     ),
                 )
 
-        request = SimpleRequest(self.site, "PROPFIND", inbox_uri)
+        request = SimpleRequest(
+            self.site,
+            "PROPFIND",
+            inbox_uri,
+            headers=http_headers.Headers({"Depth":"0"}),
+        )
         request.stream = MemoryStream(query.toxml())
         return self.send(request, propfind_cb)
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20111202/d4d658f7/attachment.html>

More information about the calendarserver-changes mailing list