[CalendarServer-changes] [15783] CalendarServer/trunk/txdav/caldav/datastore

source_changes at macosforge.org source_changes at macosforge.org
Wed Aug 3 11:01:01 PDT 2016 

Revision: 15783
          http://trac.calendarserver.org//changeset/15783
Author:   cdaboo at apple.com
Date:     2016-08-03 11:01:01 -0700 (Wed, 03 Aug 2016)
Log Message:
-----------
Make sure illegal characters in attachment file names are stripped.

Modified Paths:
--------------
    CalendarServer/trunk/txdav/caldav/datastore/sql.py
    CalendarServer/trunk/txdav/caldav/datastore/test/test_attachments.py

Modified: CalendarServer/trunk/txdav/caldav/datastore/sql.py
===================================================================
--- CalendarServer/trunk/txdav/caldav/datastore/sql.py	2016-08-02 23:37:13 UTC (rev 15782)
+++ CalendarServer/trunk/txdav/caldav/datastore/sql.py	2016-08-03 18:01:01 UTC (rev 15783)
@@ -4895,6 +4895,11 @@
         # Check validity of request
         yield self._checkValidManagedAttachmentChange()
 
+        # Protect against invalid file names
+        if isinstance(filename, unicode):
+            filename = filename.encode("utf-8")
+        filename = filename.translate(None, "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x0B\x0C\x0E\x0F\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1A\x1B\x1C\x1D\x1E\x1F")
+
         # First write the data stream
 
         # We need to know the resource_ID of the home collection of the owner
@@ -4949,6 +4954,11 @@
         # Check validity of request
         yield self._checkValidManagedAttachmentChange()
 
+        # Protect against invalid file names
+        if isinstance(filename, unicode):
+            filename = filename.encode("utf-8")
+        filename = filename.translate(None, "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x0B\x0C\x0E\x0F\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1A\x1B\x1C\x1D\x1E\x1F")
+
         # First check the supplied managed-id is associated with this resource
         cobjs = (yield ManagedAttachment.referencesTo(self._txn, managed_id))
         if self._resourceID not in cobjs:

Modified: CalendarServer/trunk/txdav/caldav/datastore/test/test_attachments.py
===================================================================
--- CalendarServer/trunk/txdav/caldav/datastore/test/test_attachments.py	2016-08-02 23:37:13 UTC (rev 15782)
+++ CalendarServer/trunk/txdav/caldav/datastore/test/test_attachments.py	2016-08-03 18:01:01 UTC (rev 15783)
@@ -1495,7 +1495,57 @@
         self.assertEquals(data, "new attachment text")
 
 
+    @inlineCallbacks
+    def test_validFilename(self):
+        """
+        L{CalendarObject.addAttachment} will remove any invalid characters from the supplied file name.
+        """
 
+        # Create attachment
+        obj = yield self.calendarObjectUnderTest()
+        attachment, _ignore_location = yield obj.addAttachment(None, MimeType("text", "x-fixture"), "new\x1F.attachment", MemoryStream("new attachment text"))
+        self.assertEqual(attachment.name(), "new.attachment")
+        yield self.commit()
+
+        # Verify parameters exist
+        obj = yield self.calendarObjectUnderTest()
+        component = yield obj.componentForUser()
+        attachments = component.getAllPropertiesInAnyComponent("ATTACH", depth=1,)
+        self.assertEqual(len(attachments), 1)
+        attach = attachments[0]
+        managed_id = attach.parameterValue("MANAGED-ID")
+        fmttype = attach.parameterValue("FMTTYPE")
+        filename = attach.parameterValue("FILENAME")
+        size = attach.parameterValue("SIZE")
+
+        self.assertEqual(fmttype, "text/x-fixture")
+        self.assertEqual(filename, "new.attachment")
+        self.assertEqual(int(size), 19)
+        yield self.commit()
+
+        # Update attachment
+        obj = yield self.calendarObjectUnderTest()
+        attachment, _ignore_location = yield obj.updateAttachment(managed_id, MimeType("text", "x-fixture"), "updated\x1F.attachment", MemoryStream("updated attachment text"))
+        self.assertEqual(attachment.name(), "updated.attachment")
+        yield self.commit()
+
+        # Verify parameters exist
+        obj = yield self.calendarObjectUnderTest()
+        component = yield obj.componentForUser()
+        attachments = component.getAllPropertiesInAnyComponent("ATTACH", depth=1,)
+        self.assertEqual(len(attachments), 1)
+        attach = attachments[0]
+        managed_id = attach.parameterValue("MANAGED-ID")
+        fmttype = attach.parameterValue("FMTTYPE")
+        filename = attach.parameterValue("FILENAME")
+        size = attach.parameterValue("SIZE")
+
+        self.assertEqual(fmttype, "text/x-fixture")
+        self.assertEqual(filename, "updated.attachment")
+        self.assertEqual(int(size), 23)
+        yield self.commit()
+
+
 now = DateTime.getToday().getYear()
 
 PLAIN_ICS = """BEGIN:VCALENDAR
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20160803/50897b85/attachment-0001.html>

More information about the calendarserver-changes mailing list