# HG changeset patch # User Paul Boddie # Date 1414604818 -3600 # Node ID 6b06a116e90bcd255138d3f069655fa22fd087cb # Parent bea0da42e4e72d250de6f386629c16c203ba9305 Introduced method-appropriate organiser/attendee validation. diff -r bea0da42e4e7 -r 6b06a116e90b imiptools/content.py --- a/imiptools/content.py Wed Oct 29 01:05:08 2014 +0100 +++ b/imiptools/content.py Wed Oct 29 18:46:58 2014 +0100 @@ -404,15 +404,26 @@ if not attendees or not organiser: return None + return organiser, attendees + + def validate_identities(self, items): + + """ + Validate the 'items' against the known senders, obtaining sent-by + addresses from attributes provided by the items. + """ + # Reject organisers that do not match any senders. - organiser_value, organiser_attr = self.get_item("ORGANIZER") - sent_by = organiser_attr.get("SENT-BY") + identities = [] - if not self.filter_by_senders([organiser_value] + (sent_by and [sent_by] or [])): - return None + for value, attr in items: + identities.append(value) + sent_by = attr.get("SENT-BY") + if sent_by: + identities.append(sent_by) - return organiser, attendees + return self.filter_by_senders(identities) def have_new_object(self, attendee, objtype): diff -r bea0da42e4e7 -r 6b06a116e90b imiptools/handlers/person.py --- a/imiptools/handlers/person.py Wed Oct 29 01:05:08 2014 +0100 +++ b/imiptools/handlers/person.py Wed Oct 29 18:46:58 2014 +0100 @@ -18,13 +18,18 @@ "Handling mechanisms specific to people." - def _record_and_deliver(self, objtype, queue=False): + def _record_and_deliver(self, objtype, from_organiser=True, queue=False): oa = self.require_organiser_and_attendees() if not oa: return False - (organiser, organiser_attr), attendees = oa + (organiser, organiser_attr), attendees = organiser_item, attendees = oa + + # Validate the organiser or attendee, ignoring spoofed requests. + + if not self.validate_identities(from_organiser and [organiser_item] or attendees): + return False # Process each attendee separately. @@ -108,14 +113,14 @@ "Record replies and notify the recipient." - self._record_and_deliver("VEVENT", False) + self._record_and_deliver("VEVENT", from_organiser=False, queue=False) return PersonHandler.reply(self) def request(self): "Hold requests and notify the recipient." - self._record_and_deliver("VEVENT", True) + self._record_and_deliver("VEVENT", from_organiser=True, queue=True) # The message is now wrapped and passed on to the recipient. @@ -138,7 +143,7 @@ "Record replies and notify the recipient." - self._record_and_deliver("VFREEBUSY", False) + self._record_and_deliver("VFREEBUSY", from_organiser=False, queue=False) return PersonHandler.reply(self) def request(self): @@ -155,7 +160,12 @@ if not oa: return None - (organiser, organiser_attr), attendees = oa + (organiser, organiser_attr), attendees = organiser_item, attendees = oa + + # Validate the organiser, ignoring spoofed requests. + + if not self.validate_identities([organiser_item]): + return None # Construct an appropriate fragment. @@ -268,14 +278,14 @@ "Record replies and notify the recipient." - self._record_and_deliver("VTODO", False) + self._record_and_deliver("VTODO", from_organiser=False, queue=False) return PersonHandler.reply(self) def request(self): "Hold requests and notify the recipient." - self._record_and_deliver("VTODO", True) + self._record_and_deliver("VTODO", from_organiser=True, queue=True) # The message is now wrapped and passed on to the recipient. diff -r bea0da42e4e7 -r 6b06a116e90b imiptools/handlers/resource.py --- a/imiptools/handlers/resource.py Wed Oct 29 01:05:08 2014 +0100 +++ b/imiptools/handlers/resource.py Wed Oct 29 18:46:58 2014 +0100 @@ -57,7 +57,12 @@ if not oa: return None - (organiser, organiser_attr), attendees = oa + organiser_item, attendees = oa + + # Validate the organiser, ignoring spoofed requests. + + if not self.validate_identities([organiser_item]): + return None # Process each attendee separately. @@ -119,7 +124,12 @@ if not oa: return None - (organiser, organiser_attr), attendees = oa + (organiser, organiser_attr), attendees = organiser_item, attendees = oa + + # Validate the organiser, ignoring spoofed requests. + + if not self.validate_identities([organiser_item]): + return None # Construct an appropriate fragment.