1.1 --- a/imiptools/content.py Wed Oct 29 01:05:08 2014 +0100
1.2 +++ b/imiptools/content.py Wed Oct 29 18:46:58 2014 +0100
1.3 @@ -404,15 +404,26 @@
1.4 if not attendees or not organiser:
1.5 return None
1.6
1.7 + return organiser, attendees
1.8 +
1.9 + def validate_identities(self, items):
1.10 +
1.11 + """
1.12 + Validate the 'items' against the known senders, obtaining sent-by
1.13 + addresses from attributes provided by the items.
1.14 + """
1.15 +
1.16 # Reject organisers that do not match any senders.
1.17
1.18 - organiser_value, organiser_attr = self.get_item("ORGANIZER")
1.19 - sent_by = organiser_attr.get("SENT-BY")
1.20 + identities = []
1.21
1.22 - if not self.filter_by_senders([organiser_value] + (sent_by and [sent_by] or [])):
1.23 - return None
1.24 + for value, attr in items:
1.25 + identities.append(value)
1.26 + sent_by = attr.get("SENT-BY")
1.27 + if sent_by:
1.28 + identities.append(sent_by)
1.29
1.30 - return organiser, attendees
1.31 + return self.filter_by_senders(identities)
1.32
1.33 def have_new_object(self, attendee, objtype):
1.34
2.1 --- a/imiptools/handlers/person.py Wed Oct 29 01:05:08 2014 +0100
2.2 +++ b/imiptools/handlers/person.py Wed Oct 29 18:46:58 2014 +0100
2.3 @@ -18,13 +18,18 @@
2.4
2.5 "Handling mechanisms specific to people."
2.6
2.7 - def _record_and_deliver(self, objtype, queue=False):
2.8 + def _record_and_deliver(self, objtype, from_organiser=True, queue=False):
2.9
2.10 oa = self.require_organiser_and_attendees()
2.11 if not oa:
2.12 return False
2.13
2.14 - (organiser, organiser_attr), attendees = oa
2.15 + (organiser, organiser_attr), attendees = organiser_item, attendees = oa
2.16 +
2.17 + # Validate the organiser or attendee, ignoring spoofed requests.
2.18 +
2.19 + if not self.validate_identities(from_organiser and [organiser_item] or attendees):
2.20 + return False
2.21
2.22 # Process each attendee separately.
2.23
2.24 @@ -108,14 +113,14 @@
2.25
2.26 "Record replies and notify the recipient."
2.27
2.28 - self._record_and_deliver("VEVENT", False)
2.29 + self._record_and_deliver("VEVENT", from_organiser=False, queue=False)
2.30 return PersonHandler.reply(self)
2.31
2.32 def request(self):
2.33
2.34 "Hold requests and notify the recipient."
2.35
2.36 - self._record_and_deliver("VEVENT", True)
2.37 + self._record_and_deliver("VEVENT", from_organiser=True, queue=True)
2.38
2.39 # The message is now wrapped and passed on to the recipient.
2.40
2.41 @@ -138,7 +143,7 @@
2.42
2.43 "Record replies and notify the recipient."
2.44
2.45 - self._record_and_deliver("VFREEBUSY", False)
2.46 + self._record_and_deliver("VFREEBUSY", from_organiser=False, queue=False)
2.47 return PersonHandler.reply(self)
2.48
2.49 def request(self):
2.50 @@ -155,7 +160,12 @@
2.51 if not oa:
2.52 return None
2.53
2.54 - (organiser, organiser_attr), attendees = oa
2.55 + (organiser, organiser_attr), attendees = organiser_item, attendees = oa
2.56 +
2.57 + # Validate the organiser, ignoring spoofed requests.
2.58 +
2.59 + if not self.validate_identities([organiser_item]):
2.60 + return None
2.61
2.62 # Construct an appropriate fragment.
2.63
2.64 @@ -268,14 +278,14 @@
2.65
2.66 "Record replies and notify the recipient."
2.67
2.68 - self._record_and_deliver("VTODO", False)
2.69 + self._record_and_deliver("VTODO", from_organiser=False, queue=False)
2.70 return PersonHandler.reply(self)
2.71
2.72 def request(self):
2.73
2.74 "Hold requests and notify the recipient."
2.75
2.76 - self._record_and_deliver("VTODO", True)
2.77 + self._record_and_deliver("VTODO", from_organiser=True, queue=True)
2.78
2.79 # The message is now wrapped and passed on to the recipient.
2.80
3.1 --- a/imiptools/handlers/resource.py Wed Oct 29 01:05:08 2014 +0100
3.2 +++ b/imiptools/handlers/resource.py Wed Oct 29 18:46:58 2014 +0100
3.3 @@ -57,7 +57,12 @@
3.4 if not oa:
3.5 return None
3.6
3.7 - (organiser, organiser_attr), attendees = oa
3.8 + organiser_item, attendees = oa
3.9 +
3.10 + # Validate the organiser, ignoring spoofed requests.
3.11 +
3.12 + if not self.validate_identities([organiser_item]):
3.13 + return None
3.14
3.15 # Process each attendee separately.
3.16
3.17 @@ -119,7 +124,12 @@
3.18 if not oa:
3.19 return None
3.20
3.21 - (organiser, organiser_attr), attendees = oa
3.22 + (organiser, organiser_attr), attendees = organiser_item, attendees = oa
3.23 +
3.24 + # Validate the organiser, ignoring spoofed requests.
3.25 +
3.26 + if not self.validate_identities([organiser_item]):
3.27 + return None
3.28
3.29 # Construct an appropriate fragment.
3.30