obfuscate list_webcals links to hide user:pass (bug 1819552)

2 files changed, 16 insertions, 6 deletions

diff --git a/functions/calendar_functions.php b/functions/calendar_functions.php
index 48bc9ba..8f02bd7 100644
--- a/functions/calendar_functions.php
+++ b/functions/calendar_functions.php
@@ -184,7 +184,7 @@ function getCalendarName($cal_path) {
 //
 // $cals	= The calendars (entire path, e.g. from availableCalendars).
 function display_ical_list($cals, $pick=FALSE) {
-	global $cal, $current_view, $getdate, $lang, $calendar_lang, $all_cal_comb_lang, $cal_filelist, $cal_displaynames, $phpiCal_config;
+	global $cal, $current_view, $getdate, $lang, $calendar_lang, $all_cal_comb_lang, $cal_filelist, $cal_displaynames, $list_webcals, $phpiCal_config;
 	// Print each calendar option.
 	$return = '';
 	foreach ($cals as $cal_tmp) {
@@ -193,15 +193,15 @@ function display_ical_list($cals, $pick=FALSE) {
 		// Only display the calendar name, replace all instances of "32" with " ",
 		// and remove the .ics suffix.
 		$cal_displayname_tmp = getCalendarName($cal_tmp);
-		$cal_displayname_tmp = str_replace("32", " ", $cal_displayname_tmp);
+		#$cal_displayname_tmp = str_replace("32", " ", $cal_displayname_tmp);
 		#overwrite the display name if we already have a real name
 		if (is_numeric(array_search($cal_tmp, $cal_filelist))){
 			$cal_displayname_tmp = $cal_displaynames[array_search($cal_tmp,$cal_filelist)];
 		}else{
 			# pull the name from the $cal_tmp file
-			$cal_tmp = str_replace('webcal://','http://',$cal_tmp);
+			$cal_tmp2 = str_replace('webcal://','http://',$cal_tmp);
 
-			$ifile = @fopen($cal_tmp, "r");
+			$ifile = @fopen($cal_tmp2, "r");
 			if ($ifile == FALSE) exit(error($lang['l_error_cantopen'], $cal_tmp));
 			while (!feof($ifile)) {
 				$line = fgets($ifile, 1024);
@@ -241,7 +241,9 @@ function display_ical_list($cals, $pick=FALSE) {
 
 		// Encode the calendar path.
 		$cal_encoded_tmp = urlencode($cal_tmp);
-
+		if(in_array($cal_tmp, $list_webcals)){
+			$cal_encoded_tmp = md5($phpiCal_config->salt.$cal_tmp);;
+		}
 		// Display the option.
 		//
 		// The submitted calendar will be encoded, and always use http://
diff --git a/functions/init.inc.php b/functions/init.inc.php
index 955d45a..87f4f47 100644
--- a/functions/init.inc.php
+++ b/functions/init.inc.php
@@ -66,6 +66,10 @@ if ($cal_filenames[0] == $phpiCal_config->ALL_CALENDARS_COMBINED){
 $web_cals = array();
 $local_cals = array();
 foreach ($cal_filenames as $cal_filename) {
+	# substitute for md5-obscured list_webcals
+	foreach ($list_webcals as $tmp_cal){
+		if($cal_filename == md5($phpiCal_config->salt.$tmp_cal)) $cal_filename = $tmp_cal;
+	}
 	// If the calendar identifier begins with a web protocol, this is a web
 	// calendar.
 	$cal_filename = urldecode($cal_filename); #need to decode for substr statements to identify webcals
@@ -107,7 +111,6 @@ foreach ($web_cals as $web_cal) {
 	$cal_httpPrefix = str_replace('webcal://','http://',$web_cal);
 	$cal_httpsPrefix = str_replace('webcal://','https://',$web_cal);
 	$cal_httpsPrefix = str_replace('http://','https://',$web_cal);
-	$web_cal = $cal_httpPrefix;
 		
 	// We can only include this web calendar if we allow all web calendars
 	// (as defined by $allow_webcals) or if the web calendar shows up in the
@@ -125,11 +128,16 @@ foreach ($web_cals as $web_cal) {
 	$cal_displaynames[] = substr(basename($web_cal), 0, -4);
 	
 	// FIXME
+	echo "$web_cal<br>";
+	if(in_array($web_cal, $list_webcals)){
+		$web_cal = md5($phpiCal_config->salt.$web_cal);
+	}
 	$cals[] = urlencode($web_cal);
 	//$filename = $cal_filename;
 	$subscribe_path = $cal_webcalPrefix;
 	
 	// Add the webcal to the available calendars.
+	$web_cal = $cal_httpPrefix;
 	$cal_filelist[] = $web_cal;
 }