From 0ce1cbdd140f1d2bf0e40fec79c4432a87674e0b Mon Sep 17 00:00:00 2001
From: Georg Ehrke <dev@georgswebsite.de>
Date: Tue, 8 May 2012 08:46:14 +0200
Subject: [PATCH] fix calendar vulnerability

---
 apps/calendar/ajax/events.php | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/apps/calendar/ajax/events.php b/apps/calendar/ajax/events.php
index 9ecb625246e..c3807fe47ed 100755
--- a/apps/calendar/ajax/events.php
+++ b/apps/calendar/ajax/events.php
@@ -12,10 +12,16 @@ require_once('when/When.php');
 OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('calendar');
 
+$calendar = OC_Calendar_App::getCalendar($_GET['calendar_id'], false, false);
+if($calendar['userid'] != OCP\User::getUser){
+	OCP\JSON::error();
+	exit;
+}
+
 $start = (version_compare(PHP_VERSION, '5.3.0', '>='))?DateTime::createFromFormat('U', $_GET['start']):new DateTime('@' . $_GET['start']);
 $end = (version_compare(PHP_VERSION, '5.3.0', '>='))?DateTime::createFromFormat('U', $_GET['end']):new DateTime('@' . $_GET['end']);
 
-$events = OC_Calendar_App::getrequestedEvents($_GET['calendar_id'], $start, $end);
+$events = OC_Calendar_App::getrequestedEvents($id, $start, $end);
 
 $output = array();
 foreach($events as $event){
-- 
2.39.5