enforce a certain strength of uid, as some clients set quite weak ones)

This commit is contained in:
Ralf Becker 2008-05-20 04:59:26 +00:00
parent 01407a4e38
commit 9f30e824b0
5 changed files with 10 additions and 7 deletions

View File

@ -249,7 +249,7 @@ class addressbook_groupdav extends groupdav_handler
} }
// SOGo requires that we keep it's path, but sets a different name-part then the uid // SOGo requires that we keep it's path, but sets a different name-part then the uid
// we use there name-part as UID, to be able to allow it to access the contact again with that path // we use there name-part as UID, to be able to allow it to access the contact again with that path
elseif (strlen($id) > 10 && strpos($_SERVER['HTTP_USER_AGENT'],'Thunderbird')) elseif (strlen($id) > 20 && strpos($_SERVER['HTTP_USER_AGENT'],'Thunderbird'))
{ {
$contact['uid'] = basename($id,'.vcf'); $contact['uid'] = basename($id,'.vcf');
} }
@ -273,7 +273,7 @@ class addressbook_groupdav extends groupdav_handler
if (is_null($ok)) if (is_null($ok))
{ {
header($h='Location: '.$this->base_uri.self::get_path($contact)); header($h='Location: '.$this->base_uri.self::get_path($contact));
error_log(__METHOD__."($method,,$id) header('$h'): 201 Created"); if ($this->debug) error_log(__METHOD__."($method,,$id) header('$h'): 201 Created");
return '201 Created'; return '201 Created';
} }
return true; return true;
@ -307,7 +307,7 @@ class addressbook_groupdav extends groupdav_handler
{ {
return $contact; return $contact;
} }
if ($this->bo->delete($contact['id'],self::etag2value($this->http_if_match)) === 0) if (($Ok = $this->bo->delete($contact['id'],self::etag2value($this->http_if_match))) === 0)
{ {
return '412 Precondition Failed'; return '412 Precondition Failed';
} }

View File

@ -632,7 +632,8 @@ class addressbook_sql extends so_sql
$this->data['etag'] = 0; $this->data['etag'] = 0;
} }
} }
if (!$err && !$this->data['uid']) // enforce a minium uid strength
if (!$err && (strlen($this->data['uid']) < 20 || is_numeric($this->data['uid'])))
{ {
parent::update(array('uid' => common::generate_uid('addressbook',$this->data['id']))); parent::update(array('uid' => common::generate_uid('addressbook',$this->data['id'])));
$this->data['etag']++; $this->data['etag']++;

View File

@ -514,8 +514,9 @@ ORDER BY cal_user_type, cal_usre_id
{ {
return false; return false;
} }
// new event (without uid) or new created referencing event => create new uid // new event (without uid), not strong enough uid or new created referencing event => create new uid
if (!$event['cal_uid'] || $event['cal_reference'] && strpos($event['cal_uid'],'cal-'.$event['calreference'].'-') !== false) if (strlen($event['cal_uid']) < 20 || is_nummeric($event['cal_uid']) ||
$event['cal_reference'] && strpos($event['cal_uid'],'cal-'.$event['calreference'].'-') !== false)
{ {
$event['cal_uid'] = $GLOBALS['egw']->common->generate_uid('calendar',$cal_id); $event['cal_uid'] = $GLOBALS['egw']->common->generate_uid('calendar',$cal_id);
$this->db->update($this->cal_table,array('cal_uid' => $event['cal_uid']),array('cal_id' => $cal_id),__LINE__,__FILE__,'calendar'); $this->db->update($this->cal_table,array('cal_uid' => $event['cal_uid']),array('cal_id' => $cal_id),__LINE__,__FILE__,'calendar');

View File

@ -42,6 +42,7 @@ class groupdav extends HTTP_WebDAV_Server
const REALM = 'eGroupWare CalDAV/CardDAV/GroupDAV server'; const REALM = 'eGroupWare CalDAV/CardDAV/GroupDAV server';
var $dav_powered_by = self::REALM; var $dav_powered_by = self::REALM;
var $http_auth_realm = self::REALM;
var $root = array( var $root = array(
'calendar' => array(self::GROUPDAV => 'vevent-collection', self::CALDAV => 'calendar'), 'calendar' => array(self::GROUPDAV => 'vevent-collection', self::CALDAV => 'calendar'),

View File

@ -203,7 +203,7 @@ abstract class groupdav_handler
return '403 Forbidden'; // no app rights return '403 Forbidden'; // no app rights
} }
$extra_acl = $this->method2acl[$method]; $extra_acl = $this->method2acl[$method];
if (!($entry = $this->read($id)) && ($method != 'PUT' || $event === false) || if (!($entry = $this->read($id)) && ($method != 'PUT' || $entry === false) ||
($extra_acl != EGW_ACL_READ && $this->check_access($extra_acl,$entry) === false)) ($extra_acl != EGW_ACL_READ && $this->check_access($extra_acl,$entry) === false))
{ {
if ($return_no_access && !is_null($entry)) if ($return_no_access && !is_null($entry))