diff options
| author | Georg Ehrke <dev@georgswebsite.de> | 2012-05-08 08:46:14 +0200 |
|---|---|---|
| committer | Georg Ehrke <dev@georgswebsite.de> | 2012-05-08 08:46:27 +0200 |
| commit | 0ce1cbdd140f1d2bf0e40fec79c4432a87674e0b (patch) | |
| tree | a84254f64e283b2181598dd38959b144088482c8 | |
| parent | 010b97febdbabc9b9100b5f98394e427922129da (diff) | |
| download | nextcloud-server-0ce1cbdd140f1d2bf0e40fec79c4432a87674e0b.tar.gz nextcloud-server-0ce1cbdd140f1d2bf0e40fec79c4432a87674e0b.zip | |
fix calendar vulnerability
| -rwxr-xr-x | apps/calendar/ajax/events.php | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/apps/calendar/ajax/events.php b/apps/calendar/ajax/events.php index 9ecb625246e..c3807fe47ed 100755 --- a/apps/calendar/ajax/events.php +++ b/apps/calendar/ajax/events.php @@ -12,10 +12,16 @@ require_once('when/When.php'); OCP\JSON::checkLoggedIn(); OCP\JSON::checkAppEnabled('calendar'); +$calendar = OC_Calendar_App::getCalendar($_GET['calendar_id'], false, false); +if($calendar['userid'] != OCP\User::getUser){ + OCP\JSON::error(); + exit; +} + $start = (version_compare(PHP_VERSION, '5.3.0', '>='))?DateTime::createFromFormat('U', $_GET['start']):new DateTime('@' . $_GET['start']); $end = (version_compare(PHP_VERSION, '5.3.0', '>='))?DateTime::createFromFormat('U', $_GET['end']):new DateTime('@' . $_GET['end']); -$events = OC_Calendar_App::getrequestedEvents($_GET['calendar_id'], $start, $end); +$events = OC_Calendar_App::getrequestedEvents($id, $start, $end); $output = array(); foreach($events as $event){ |