fix calendar vulnerability

diff --git a/apps/calendar/ajax/events.php b/apps/calendar/ajax/events.php
index 9ecb625246e9e1af452c9ccf3ac4bbc0499fb891..c3807fe47ed443541ffbf5668c6f348a6a65c3f7 100755 (executable)
--- a/apps/calendar/ajax/events.php
+++ b/apps/calendar/ajax/events.php
@@ -12,10 +12,16 @@ require_once('when/When.php');
 OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('calendar');
 
+$calendar = OC_Calendar_App::getCalendar($_GET['calendar_id'], false, false);
+if($calendar['userid'] != OCP\User::getUser){
+       OCP\JSON::error();
+       exit;
+}
+
 $start = (version_compare(PHP_VERSION, '5.3.0', '>='))?DateTime::createFromFormat('U', $_GET['start']):new DateTime('@' . $_GET['start']);
 $end = (version_compare(PHP_VERSION, '5.3.0', '>='))?DateTime::createFromFormat('U', $_GET['end']):new DateTime('@' . $_GET['end']);
 
-$events = OC_Calendar_App::getrequestedEvents($_GET['calendar_id'], $start, $end);
+$events = OC_Calendar_App::getrequestedEvents($id, $start, $end);
 
 $output = array();
 foreach($events as $event){