[CalendarServer-changes] [15783] CalendarServer/trunk/txdav/caldav/datastore
source_changes at macosforge.org
source_changes at macosforge.org
Wed Aug 3 11:01:01 PDT 2016
Revision: 15783
http://trac.calendarserver.org//changeset/15783
Author: cdaboo at apple.com
Date: 2016-08-03 11:01:01 -0700 (Wed, 03 Aug 2016)
Log Message:
-----------
Make sure illegal characters in attachment file names are stripped.
Modified Paths:
--------------
CalendarServer/trunk/txdav/caldav/datastore/sql.py
CalendarServer/trunk/txdav/caldav/datastore/test/test_attachments.py
Modified: CalendarServer/trunk/txdav/caldav/datastore/sql.py
===================================================================
--- CalendarServer/trunk/txdav/caldav/datastore/sql.py 2016-08-02 23:37:13 UTC (rev 15782)
+++ CalendarServer/trunk/txdav/caldav/datastore/sql.py 2016-08-03 18:01:01 UTC (rev 15783)
@@ -4895,6 +4895,11 @@
# Check validity of request
yield self._checkValidManagedAttachmentChange()
+ # Protect against invalid file names
+ if isinstance(filename, unicode):
+ filename = filename.encode("utf-8")
+ filename = filename.translate(None, "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x0B\x0C\x0E\x0F\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1A\x1B\x1C\x1D\x1E\x1F")
+
# First write the data stream
# We need to know the resource_ID of the home collection of the owner
@@ -4949,6 +4954,11 @@
# Check validity of request
yield self._checkValidManagedAttachmentChange()
+ # Protect against invalid file names
+ if isinstance(filename, unicode):
+ filename = filename.encode("utf-8")
+ filename = filename.translate(None, "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x0B\x0C\x0E\x0F\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1A\x1B\x1C\x1D\x1E\x1F")
+
# First check the supplied managed-id is associated with this resource
cobjs = (yield ManagedAttachment.referencesTo(self._txn, managed_id))
if self._resourceID not in cobjs:
Modified: CalendarServer/trunk/txdav/caldav/datastore/test/test_attachments.py
===================================================================
--- CalendarServer/trunk/txdav/caldav/datastore/test/test_attachments.py 2016-08-02 23:37:13 UTC (rev 15782)
+++ CalendarServer/trunk/txdav/caldav/datastore/test/test_attachments.py 2016-08-03 18:01:01 UTC (rev 15783)
@@ -1495,7 +1495,57 @@
self.assertEquals(data, "new attachment text")
+ @inlineCallbacks
+ def test_validFilename(self):
+ """
+ L{CalendarObject.addAttachment} will remove any invalid characters from the supplied file name.
+ """
+ # Create attachment
+ obj = yield self.calendarObjectUnderTest()
+ attachment, _ignore_location = yield obj.addAttachment(None, MimeType("text", "x-fixture"), "new\x1F.attachment", MemoryStream("new attachment text"))
+ self.assertEqual(attachment.name(), "new.attachment")
+ yield self.commit()
+
+ # Verify parameters exist
+ obj = yield self.calendarObjectUnderTest()
+ component = yield obj.componentForUser()
+ attachments = component.getAllPropertiesInAnyComponent("ATTACH", depth=1,)
+ self.assertEqual(len(attachments), 1)
+ attach = attachments[0]
+ managed_id = attach.parameterValue("MANAGED-ID")
+ fmttype = attach.parameterValue("FMTTYPE")
+ filename = attach.parameterValue("FILENAME")
+ size = attach.parameterValue("SIZE")
+
+ self.assertEqual(fmttype, "text/x-fixture")
+ self.assertEqual(filename, "new.attachment")
+ self.assertEqual(int(size), 19)
+ yield self.commit()
+
+ # Update attachment
+ obj = yield self.calendarObjectUnderTest()
+ attachment, _ignore_location = yield obj.updateAttachment(managed_id, MimeType("text", "x-fixture"), "updated\x1F.attachment", MemoryStream("updated attachment text"))
+ self.assertEqual(attachment.name(), "updated.attachment")
+ yield self.commit()
+
+ # Verify parameters exist
+ obj = yield self.calendarObjectUnderTest()
+ component = yield obj.componentForUser()
+ attachments = component.getAllPropertiesInAnyComponent("ATTACH", depth=1,)
+ self.assertEqual(len(attachments), 1)
+ attach = attachments[0]
+ managed_id = attach.parameterValue("MANAGED-ID")
+ fmttype = attach.parameterValue("FMTTYPE")
+ filename = attach.parameterValue("FILENAME")
+ size = attach.parameterValue("SIZE")
+
+ self.assertEqual(fmttype, "text/x-fixture")
+ self.assertEqual(filename, "updated.attachment")
+ self.assertEqual(int(size), 23)
+ yield self.commit()
+
+
now = DateTime.getToday().getYear()
PLAIN_ICS = """BEGIN:VCALENDAR
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20160803/50897b85/attachment-0001.html>
More information about the calendarserver-changes
mailing list