From: Georg Ehrke <dev@georgswebsite.de>
Date: Tue, 8 May 2012 06:46:14 +0000 (+0200)
Subject: fix calendar vulnerability
X-Git-Tag: v4.0.0RC~114
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=0ce1cbdd140f1d2bf0e40fec79c4432a87674e0b;p=nextcloud-server.git

fix calendar vulnerability
---

diff --git a/apps/calendar/ajax/events.php b/apps/calendar/ajax/events.php
index 9ecb625246e..c3807fe47ed 100755
--- a/apps/calendar/ajax/events.php
+++ b/apps/calendar/ajax/events.php
@@ -12,10 +12,16 @@ require_once('when/When.php');
 OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('calendar');
 
+$calendar = OC_Calendar_App::getCalendar($_GET['calendar_id'], false, false);
+if($calendar['userid'] != OCP\User::getUser){
+	OCP\JSON::error();
+	exit;
+}
+
 $start = (version_compare(PHP_VERSION, '5.3.0', '>='))?DateTime::createFromFormat('U', $_GET['start']):new DateTime('@' . $_GET['start']);
 $end = (version_compare(PHP_VERSION, '5.3.0', '>='))?DateTime::createFromFormat('U', $_GET['end']):new DateTime('@' . $_GET['end']);
 
-$events = OC_Calendar_App::getrequestedEvents($_GET['calendar_id'], $start, $end);
+$events = OC_Calendar_App::getrequestedEvents($id, $start, $end);
 
 $output = array();
 foreach($events as $event){