Skip to content
Snippets Groups Projects
Commit 0ce1cbdd authored by Georg Ehrke's avatar Georg Ehrke
Browse files

fix calendar vulnerability

parent 010b97fe
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
apps/calendar/ajax/events.php
+ 7
1
View file @ 0ce1cbdd
...@@ -12,10 +12,16 @@ require_once('when/When.php'); ...@@ -12,10 +12,16 @@ require_once('when/When.php');
OCP\JSON::checkLoggedIn(); OCP\JSON::checkLoggedIn();
OCP\JSON::checkAppEnabled('calendar'); OCP\JSON::checkAppEnabled('calendar');
$calendar = OC_Calendar_App::getCalendar($_GET['calendar_id'], false, false);
if($calendar['userid'] != OCP\User::getUser){
OCP\JSON::error();
exit;
}
$start = (version_compare(PHP_VERSION, '5.3.0', '>='))?DateTime::createFromFormat('U', $_GET['start']):new DateTime('@' . $_GET['start']); $start = (version_compare(PHP_VERSION, '5.3.0', '>='))?DateTime::createFromFormat('U', $_GET['start']):new DateTime('@' . $_GET['start']);
$end = (version_compare(PHP_VERSION, '5.3.0', '>='))?DateTime::createFromFormat('U', $_GET['end']):new DateTime('@' . $_GET['end']); $end = (version_compare(PHP_VERSION, '5.3.0', '>='))?DateTime::createFromFormat('U', $_GET['end']):new DateTime('@' . $_GET['end']);
$events = OC_Calendar_App::getrequestedEvents($_GET['calendar_id'], $start, $end); $events = OC_Calendar_App::getrequestedEvents($id, $start, $end);
$output = array(); $output = array();
foreach($events as $event){ foreach($events as $event){
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment