itip_support.c: prevent partycrashing via iTIP replies

cyrusimap · Sep 18, 2024 · b82744d · b82744d
1 parent c75865d
commit b82744d
Show file tree

Hide file tree

Showing 2 changed files with 113 additions and 0 deletions.
diff --git a/cassandane/tiny-tests/Sieve/imip_reply_partycrasher b/cassandane/tiny-tests/Sieve/imip_reply_partycrasher
@@ -0,0 +1,101 @@
+#!perl
+use Cassandane::Tiny;
+
+sub test_imip_reply_partycrasher
+    :needs_component_sieve :want_service_http :min_version_3_7
+{
+    my ($self) = @_;
+
+    my $IMAP = $self->{store}->get_client();
+    $self->{store}->_select();
+    $self->assert_num_equals(1, $IMAP->uid());
+    $self->{store}->set_fetch_attributes(qw(uid flags));
+
+    xlog $self, "Create calendar user";
+    my $CalDAV = $self->{caldav};
+    my $CalendarId = 'Default';
+    my $uuid = "6de280c9-edff-4019-8ebd-cfebc73f8201";
+    my $href = "$CalendarId/$uuid.ics";
+
+    xlog $self, "Install a sieve script to process iMIP";
+    $self->{instance}->install_sieve_script(<<EOF
+require ["body", "variables", "imap4flags", "vnd.cyrus.imip"];
+if body :content "text/calendar" :contains "\nMETHOD:" {
+    processimip :outcome "outcome";
+    if string "\${outcome}" "updated" {
+        setflag "\\\\Flagged";
+    }
+}
+EOF
+    );
+
+    my $event = <<EOF;
+BEGIN:VCALENDAR
+VERSION:2.0
+PRODID:-//Apple Inc.//Mac OS X 10.10.4//EN
+BEGIN:VEVENT
+CREATED:20210923T034327Z
+UID:$uuid
+DTEND;TZID=America/New_York:20210923T183000
+TRANSP:OPAQUE
+SUMMARY:An Event
+DTSTART;TZID=America/New_York:20210923T153000
+DTSTAMP:20210923T034327Z
+SEQUENCE:0
+ORGANIZER;CN=Cassandane:MAILTO:cassandane\@example.com
+ATTENDEE;CN=Cassandane;PARTSTAT=ACCEPTED:MAILTO:cassandane\@example.com
+ATTENDEE;PARTSTAT=NEEDS-ACTION;RSVP=TRUE:MAILTO:foo\@example.net
+END:VEVENT
+END:VCALENDAR
+EOF
+
+    xlog $self, "Create an event on calendar";
+    $CalDAV->Request('PUT', $href, $event, 'Content-Type' => 'text/calendar');
+
+    xlog $self, "Check that the event made it to calendar";
+    my $events = $CalDAV->GetEvents($CalendarId);
+    $self->assert_equals(1, scalar @$events);
+    $self->assert_str_equals($uuid, $events->[0]{uid});
+    $self->assert_str_equals('',
+                             $events->[0]{participants}{'[email protected]'}{name});
+    $self->assert_str_equals('needs-action',
+                             $events->[0]{participants}{'[email protected]'}{scheduleStatus});
+
+
+    my $imip = <<EOF;
+Date: Thu, 23 Sep 2021 09:06:18 -0400
+From: Bar <bar\@example.net>
+To: Cassandane <cassandane\@example.com>
+Message-ID: <$uuid\@example.net>
+Content-Type: text/calendar; method=REPLY; component=VEVENT
+X-Cassandane-Unique: $uuid
+
+BEGIN:VCALENDAR
+VERSION:2.0
+PRODID:-//Apple Inc.//Mac OS X 10.10.4//EN
+METHOD:REPLY
+BEGIN:VEVENT
+UID:$uuid
+DTSTAMP:20210923T034327Z
+SEQUENCE:0
+ORGANIZER;CN=Cassandane:MAILTO:cassandane\@example.com
+ATTENDEE;CN=Party Crasher;PARTSTAT=ACCEPTED;RSVP=TRUE:MAILTO:bar\@example.net
+END:VEVENT
+END:VCALENDAR
+EOF
+
+    xlog $self, "Deliver iMIP reply";
+    my $msg = Cassandane::Message->new(raw => $imip);
+    $msg->set_attribute(uid => 1,
+                        flags => [ '\\Recent', '\\Flagged' ]);
+    $self->{instance}->deliver($msg);
+
+    xlog $self, "Check that the message made it to INBOX";
+    $self->check_messages({ 1 => $msg }, check_guid => 0);
+
+    xlog $self, "Check that the reply DID NOT get merged into the event";
+    $events = $CalDAV->GetEvents($CalendarId);
+    $self->assert_equals(1, scalar @$events);
+    $self->assert_str_equals($uuid, $events->[0]{uid});
+    $self->assert_null($events->[0]{participants}{'[email protected]'});
+}
diff --git a/imap/itip_support.c b/imap/itip_support.c
@@ -582,9 +582,15 @@ static const char *deliver_merge_reply(icalcomponent *ical,  // current iCalenda
              prop = icalcomponent_get_next_invitee(comp));
         if (!prop) {
             /* Attendee added themselves to this recurrence */
+#if 0
             assert(icalproperty_isa(prop) != ICAL_VOTER_PROPERTY);
             prop = icalproperty_clone(att);
             icalcomponent_add_property(comp, prop);
+#else
+            /* Don't allow party crashing */
+            attendee = NULL;
+            goto done;
+#endif
         }
 
         /* Set PARTSTAT */
@@ -615,6 +621,7 @@ static const char *deliver_merge_reply(icalcomponent *ical,  // current iCalenda
         if (kind == ICAL_VPOLL_COMPONENT) deliver_merge_vpoll_reply(comp, itip);
     }
 
+  done:
     free_hash_table(&override_table, NULL);
     free_hash_table(&rdate_table, NULL);
     ptrarray_fini(&rrules);
@@ -1411,6 +1418,11 @@ HIDDEN enum sched_deliver_outcome sched_deliver_local(const char *userid,
 
     case ICAL_METHOD_REPLY:
         attendee = deliver_merge_reply(ical, itip);
+        if (!attendee) {
+            SCHED_STATUS(sched_data, REQSTAT_REJECTED, SCHEDSTAT_REJECTED);
+            goto inbox;
+        }
+
         if (attendeep) *attendeep = attendee;
         break;