From 06ff6c6d7daeb44da0de5de36eef7ea2b7a4137e Mon Sep 17 00:00:00 2001
From: Thomas Tanghus <thomas@tanghus.net>
Date: Tue, 17 Jul 2012 11:46:01 +0200
Subject: [PATCH] Added CSRF checks to Calendar. Expect some error messages -
 and report them ;)

---
 apps/calendar/ajax/calendar/activation.php    | 2 ++
 apps/calendar/ajax/calendar/delete.php        | 1 +
 apps/calendar/ajax/calendar/new.php           | 3 +--
 apps/calendar/ajax/calendar/update.php        | 1 +
 apps/calendar/ajax/categories/rescan.php      | 1 +
 apps/calendar/ajax/event/delete.php           | 1 +
 apps/calendar/ajax/event/edit.php             | 1 +
 apps/calendar/ajax/event/move.php             | 1 +
 apps/calendar/ajax/event/new.php              | 1 +
 apps/calendar/ajax/event/resize.php           | 1 +
 apps/calendar/ajax/import/import.php          | 1 +
 apps/calendar/ajax/settings/setfirstday.php   | 1 +
 apps/calendar/ajax/settings/settimeformat.php | 1 +
 apps/calendar/ajax/settings/settimezone.php   | 1 +
 14 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/apps/calendar/ajax/calendar/activation.php b/apps/calendar/ajax/calendar/activation.php
index e31908beb14..f4aadc5b017 100644
--- a/apps/calendar/ajax/calendar/activation.php
+++ b/apps/calendar/ajax/calendar/activation.php
@@ -9,6 +9,8 @@
  
 OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('calendar');
+OCP\JSON::callCheck();
+
 $calendarid = $_POST['calendarid'];
 $calendar = OC_Calendar_App::getCalendar($calendarid, true);
 if(!$calendar){
diff --git a/apps/calendar/ajax/calendar/delete.php b/apps/calendar/ajax/calendar/delete.php
index 4d6706f6002..089255cae39 100644
--- a/apps/calendar/ajax/calendar/delete.php
+++ b/apps/calendar/ajax/calendar/delete.php
@@ -9,6 +9,7 @@
 
 OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('calendar');
+OCP\JSON::callCheck();
 
 $cal = $_POST["calendarid"];
 $calendar = OC_Calendar_App::getCalendar($cal, true);
diff --git a/apps/calendar/ajax/calendar/new.php b/apps/calendar/ajax/calendar/new.php
index e77d4ebff03..67d12822378 100644
--- a/apps/calendar/ajax/calendar/new.php
+++ b/apps/calendar/ajax/calendar/new.php
@@ -6,11 +6,10 @@
  * See the COPYING-README file.
  */
 
- 
-
 // Check if we are a user
 OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('calendar');
+OCP\JSON::callCheck();
 
 if(trim($_POST['name']) == ''){
 	OCP\JSON::error(array('message'=>'empty'));
diff --git a/apps/calendar/ajax/calendar/update.php b/apps/calendar/ajax/calendar/update.php
index a2c898c8075..c09b1008c9c 100644
--- a/apps/calendar/ajax/calendar/update.php
+++ b/apps/calendar/ajax/calendar/update.php
@@ -11,6 +11,7 @@
 // Check if we are a user
 OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('calendar');
+OCP\JSON::callCheck();
 
 if(trim($_POST['name']) == ''){
 	OCP\JSON::error(array('message'=>'empty'));
diff --git a/apps/calendar/ajax/categories/rescan.php b/apps/calendar/ajax/categories/rescan.php
index f0060cb23b2..08c32865b6f 100644
--- a/apps/calendar/ajax/categories/rescan.php
+++ b/apps/calendar/ajax/categories/rescan.php
@@ -9,6 +9,7 @@
  
 OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('calendar');
+OCP\JSON::callCheck();
 
 foreach ($_POST as $key=>$element) {
 	debug('_POST: '.$key.'=>'.print_r($element, true));
diff --git a/apps/calendar/ajax/event/delete.php b/apps/calendar/ajax/event/delete.php
index f183d431afa..17e45c001e8 100644
--- a/apps/calendar/ajax/event/delete.php
+++ b/apps/calendar/ajax/event/delete.php
@@ -9,6 +9,7 @@
 
 OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('calendar');
+OCP\JSON::callCheck();
 
 $id = $_POST['id'];
 $access = OC_Calendar_App::getaccess($id, OC_Calendar_App::EVENT);
diff --git a/apps/calendar/ajax/event/edit.php b/apps/calendar/ajax/event/edit.php
index 1c3babc3d90..db78bf6e5e0 100644
--- a/apps/calendar/ajax/event/edit.php
+++ b/apps/calendar/ajax/event/edit.php
@@ -9,6 +9,7 @@
  
 OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('calendar');
+OCP\JSON::callCheck();
 
 $id = $_POST['id'];
 
diff --git a/apps/calendar/ajax/event/move.php b/apps/calendar/ajax/event/move.php
index 04cf2fb0513..f4e2b36376d 100644
--- a/apps/calendar/ajax/event/move.php
+++ b/apps/calendar/ajax/event/move.php
@@ -7,6 +7,7 @@
  */
  
 OCP\JSON::checkLoggedIn();
+OCP\JSON::callCheck();
 
 $id = $_POST['id'];
 $access = OC_Calendar_App::getaccess($id, OC_Calendar_App::EVENT);
diff --git a/apps/calendar/ajax/event/new.php b/apps/calendar/ajax/event/new.php
index 30e2b0cae36..bc0439cc315 100644
--- a/apps/calendar/ajax/event/new.php
+++ b/apps/calendar/ajax/event/new.php
@@ -10,6 +10,7 @@
 
 OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('calendar');
+OCP\JSON::callCheck();
 
 $errarr = OC_Calendar_Object::validateRequest($_POST);
 if($errarr){
diff --git a/apps/calendar/ajax/event/resize.php b/apps/calendar/ajax/event/resize.php
index 56b83205e85..15b687b55da 100644
--- a/apps/calendar/ajax/event/resize.php
+++ b/apps/calendar/ajax/event/resize.php
@@ -7,6 +7,7 @@
  */
  
 OCP\JSON::checkLoggedIn();
+OCP\JSON::callCheck();
 
 $id = $_POST['id'];
 
diff --git a/apps/calendar/ajax/import/import.php b/apps/calendar/ajax/import/import.php
index 1facedfe0da..38008af4a9d 100644
--- a/apps/calendar/ajax/import/import.php
+++ b/apps/calendar/ajax/import/import.php
@@ -10,6 +10,7 @@ ob_start();
 
 OCP\JSON::checkLoggedIn();
 OCP\App::checkAppEnabled('calendar');
+OCP\JSON::callCheck();
 session_write_close();
 
 $nl="\r\n";
diff --git a/apps/calendar/ajax/settings/setfirstday.php b/apps/calendar/ajax/settings/setfirstday.php
index 056a6037524..73cf0c19b78 100644
--- a/apps/calendar/ajax/settings/setfirstday.php
+++ b/apps/calendar/ajax/settings/setfirstday.php
@@ -7,6 +7,7 @@
  */
  
 OCP\JSON::checkLoggedIn();
+OCP\JSON::callCheck();
 if(isset($_POST["firstday"])){
 	OCP\Config::setUserValue(OCP\USER::getUser(), 'calendar', 'firstday', $_POST["firstday"]);
 	OCP\JSON::success();
diff --git a/apps/calendar/ajax/settings/settimeformat.php b/apps/calendar/ajax/settings/settimeformat.php
index 8e95f6f3bf5..6136857e2fe 100644
--- a/apps/calendar/ajax/settings/settimeformat.php
+++ b/apps/calendar/ajax/settings/settimeformat.php
@@ -7,6 +7,7 @@
  */
  
 OCP\JSON::checkLoggedIn();
+OCP\JSON::callCheck();
 if(isset($_POST["timeformat"])){
 	OCP\Config::setUserValue(OCP\USER::getUser(), 'calendar', 'timeformat', $_POST["timeformat"]);
 	OCP\JSON::success();
diff --git a/apps/calendar/ajax/settings/settimezone.php b/apps/calendar/ajax/settings/settimezone.php
index 6d029a6643a..06db66d578e 100644
--- a/apps/calendar/ajax/settings/settimezone.php
+++ b/apps/calendar/ajax/settings/settimezone.php
@@ -14,6 +14,7 @@ $l=OC_L10N::get('calendar');
 // Check if we are a user
 OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('calendar');
+OCP\JSON::callCheck();
 
 // Get data
 if( isset( $_POST['timezone'] ) ){
-- 
GitLab