From 0ce1cbdd140f1d2bf0e40fec79c4432a87674e0b Mon Sep 17 00:00:00 2001 From: Georg Ehrke Date: Tue, 8 May 2012 08:46:14 +0200 Subject: [PATCH] fix calendar vulnerability --- apps/calendar/ajax/events.php | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/apps/calendar/ajax/events.php b/apps/calendar/ajax/events.php index 9ecb625246..c3807fe47e 100755 --- a/apps/calendar/ajax/events.php +++ b/apps/calendar/ajax/events.php @@ -12,10 +12,16 @@ require_once('when/When.php'); OCP\JSON::checkLoggedIn(); OCP\JSON::checkAppEnabled('calendar'); +$calendar = OC_Calendar_App::getCalendar($_GET['calendar_id'], false, false); +if($calendar['userid'] != OCP\User::getUser){ + OCP\JSON::error(); + exit; +} + $start = (version_compare(PHP_VERSION, '5.3.0', '>='))?DateTime::createFromFormat('U', $_GET['start']):new DateTime('@' . $_GET['start']); $end = (version_compare(PHP_VERSION, '5.3.0', '>='))?DateTime::createFromFormat('U', $_GET['end']):new DateTime('@' . $_GET['end']); -$events = OC_Calendar_App::getrequestedEvents($_GET['calendar_id'], $start, $end); +$events = OC_Calendar_App::getrequestedEvents($id, $start, $end); $output = array(); foreach($events as $event){