enforce a certain strength of uid, as some clients set quite weak ones)

2008-05-20 04:59:26 +00:00 · 2008-05-20 04:59:26 +00:00 · 9f30e824b0
commit 9f30e824b0
parent 01407a4e38
5 changed files with 10 additions and 7 deletions
--- a/addressbook/inc/class.addressbook_groupdav.inc.php
+++ b/addressbook/inc/class.addressbook_groupdav.inc.php
@ -249,7 +249,7 @@ class addressbook_groupdav extends groupdav_handler
 		}
 		// SOGo requires that we keep it's path, but sets a different name-part then the uid
 		// we use there name-part as UID, to be able to allow it to access the contact again with that path
-		elseif (strlen($id) > 10 && strpos($_SERVER['HTTP_USER_AGENT'],'Thunderbird'))
+		elseif (strlen($id) > 20 && strpos($_SERVER['HTTP_USER_AGENT'],'Thunderbird'))
 		{
 			$contact['uid'] = basename($id,'.vcf');
 		}
@ -273,7 +273,7 @@ class addressbook_groupdav extends groupdav_handler
 		if (is_null($ok))
 		{
 			header($h='Location: '.$this->base_uri.self::get_path($contact));
-			error_log(__METHOD__."($method,,$id) header('$h'): 201 Created");
+			if ($this->debug) error_log(__METHOD__."($method,,$id) header('$h'): 201 Created");
 			return '201 Created';
 		}
 		return true;
@ -307,7 +307,7 @@ class addressbook_groupdav extends groupdav_handler
 		{
 			return $contact;
 		}
-		if ($this->bo->delete($contact['id'],self::etag2value($this->http_if_match)) === 0)
+		if (($Ok = $this->bo->delete($contact['id'],self::etag2value($this->http_if_match))) === 0)
 		{
 			return '412 Precondition Failed';
 		}
--- a/addressbook/inc/class.addressbook_sql.inc.php
+++ b/addressbook/inc/class.addressbook_sql.inc.php
@ -632,7 +632,8 @@ class addressbook_sql extends so_sql
 				$this->data['etag'] = 0;
 			}
 		}
-		if (!$err && !$this->data['uid'])
+		// enforce a minium uid strength
+		if (!$err && (strlen($this->data['uid']) < 20 || is_numeric($this->data['uid'])))
 		{
 			parent::update(array('uid' => common::generate_uid('addressbook',$this->data['id'])));
 			$this->data['etag']++;
--- a/calendar/inc/class.socal.inc.php
+++ b/calendar/inc/class.socal.inc.php
@ -514,8 +514,9 @@ ORDER BY cal_user_type, cal_usre_id
 			{
 				return false;
 			}
-			// new event (without uid) or new created referencing event => create new uid
-			if (!$event['cal_uid'] || $event['cal_reference'] && strpos($event['cal_uid'],'cal-'.$event['calreference'].'-') !== false)
+			// new event (without uid), not strong enough uid or new created referencing event => create new uid
+			if (strlen($event['cal_uid']) < 20 || is_nummeric($event['cal_uid']) ||
+				$event['cal_reference'] && strpos($event['cal_uid'],'cal-'.$event['calreference'].'-') !== false)
 			{
 				$event['cal_uid'] = $GLOBALS['egw']->common->generate_uid('calendar',$cal_id);
 				$this->db->update($this->cal_table,array('cal_uid' => $event['cal_uid']),array('cal_id' => $cal_id),__LINE__,__FILE__,'calendar');
--- a/phpgwapi/inc/class.groupdav.inc.php
+++ b/phpgwapi/inc/class.groupdav.inc.php
@ -42,6 +42,7 @@ class groupdav extends HTTP_WebDAV_Server
 	const REALM = 'eGroupWare CalDAV/CardDAV/GroupDAV server';

 	var $dav_powered_by = self::REALM;
+	var $http_auth_realm = self::REALM;

 	var $root = array(
 		'calendar' => array(self::GROUPDAV => 'vevent-collection', self::CALDAV => 'calendar'),
--- a/phpgwapi/inc/class.groupdav_handler.inc.php
+++ b/phpgwapi/inc/class.groupdav_handler.inc.php
@ -203,7 +203,7 @@ abstract class groupdav_handler
 			return '403 Forbidden';		// no app rights
 		}
 		$extra_acl = $this->method2acl[$method];
-		if (!($entry = $this->read($id)) && ($method != 'PUT' || $event === false) ||
+		if (!($entry = $this->read($id)) && ($method != 'PUT' || $entry === false) ||
 			($extra_acl != EGW_ACL_READ && $this->check_access($extra_acl,$entry) === false))
 		{
 			if ($return_no_access && !is_null($entry))