From 6bdbb8f7ae793f146d98fdf63e7e037f37847bed Mon Sep 17 00:00:00 2001
From: Jim Hu <jimhu@users.sourceforge.net>
Date: Sun, 28 Dec 2008 11:55:43 +0000
Subject: obfuscate list_webcals links to hide user:pass (bug 1819552)

---
 config.inc.php                   |  5 ++++-
 default_config.php               |  2 +-
 functions/calendar_functions.php | 12 +++++++-----
 functions/init.inc.php           | 10 +++++++++-
 4 files changed, 21 insertions(+), 8 deletions(-)

diff --git a/config.inc.php b/config.inc.php
index 7cd0b5b..f89eef1 100644
--- a/config.inc.php
+++ b/config.inc.php
@@ -22,6 +22,8 @@ As noted, phpicalendar should work without adjusting the default settings.  Chan
        default_path, cookie_uri, and download_uri are a URL paths, e.g. http://www.example.com/phpicalendar; set these if you are having problems.
 
 Note that the allow_webcals setting allows webcals to be passed as URLs.  You do NOT need to override the default setting to list specific webcals for inclusion in the SPECIAL CALENDARS section below.
+
+The salt parameter is used to obfuscate things like webcal links that may have usernames and passwords.  This should be changed.
 */
 #     'calendar_path'        => '/Library/WebServer/Documents/phpicalendar/calendars/recur_tests',
 #     'default_path'         => '', 	
@@ -30,6 +32,7 @@ Note that the allow_webcals setting allows webcals to be passed as URLs.  You do
 #     'download_uri'         => '', 	
 #     'allow_webcals'          => 'yes',
 #     'recursive_path'          => 'yes',
+#     'salt'                => 'SaLt4',
 
 /*     ** Timezones **
 If timezone is not set, all events show in the local time of the source calendar.  This isn't a problem if all your calendars are in the same timezone.  If you set a timezone for the server, events in other timezones are shown when they occur at the server's time.
@@ -80,7 +83,7 @@ these arrays provide extra calendar options.
 
 */
 $list_webcals = array(
-#	'webcal://dimer.tamu.edu/calendars/seminars/Biochem.ics'
+	'webcal://dimer.tamu.edu/calendars/seminars/Biochem.ics'
 );
 $more_webcals['recur_tests'] = array();
 $locked_cals = array(
diff --git a/default_config.php b/default_config.php
index 892a0cc..404af5d 100644
--- a/default_config.php
+++ b/default_config.php
@@ -67,7 +67,7 @@ class Configs{
 		$this->ftp_server				= 'localhost';		// Only used if $this->auth_method='ftp'. The ftp server name. 'localhost' will work for most servers.
 		$this->ftp_port					= '21';				// Only used if $this->auth_method='ftp'. The ftp port. '21' is the default for ftp servers.
 		$this->ftp_calendar_path		= '';				// Only used if $this->auth_method='ftp'. The full path to the calendar directory on the ftp server. If = '', will attempt to deduce the path based on $this->calendar_path, but may not be accurate depending on ftp server config.
-		
+		$this->salt                     = '';
 		// Calendar colors
 		//
 		// You can increase the number of unique colors by adding additional images (monthdot_n.gif) 
diff --git a/functions/calendar_functions.php b/functions/calendar_functions.php
index 48bc9ba..8f02bd7 100644
--- a/functions/calendar_functions.php
+++ b/functions/calendar_functions.php
@@ -184,7 +184,7 @@ function getCalendarName($cal_path) {
 //
 // $cals	= The calendars (entire path, e.g. from availableCalendars).
 function display_ical_list($cals, $pick=FALSE) {
-	global $cal, $current_view, $getdate, $lang, $calendar_lang, $all_cal_comb_lang, $cal_filelist, $cal_displaynames, $phpiCal_config;
+	global $cal, $current_view, $getdate, $lang, $calendar_lang, $all_cal_comb_lang, $cal_filelist, $cal_displaynames, $list_webcals, $phpiCal_config;
 	// Print each calendar option.
 	$return = '';
 	foreach ($cals as $cal_tmp) {
@@ -193,15 +193,15 @@ function display_ical_list($cals, $pick=FALSE) {
 		// Only display the calendar name, replace all instances of "32" with " ",
 		// and remove the .ics suffix.
 		$cal_displayname_tmp = getCalendarName($cal_tmp);
-		$cal_displayname_tmp = str_replace("32", " ", $cal_displayname_tmp);
+		#$cal_displayname_tmp = str_replace("32", " ", $cal_displayname_tmp);
 		#overwrite the display name if we already have a real name
 		if (is_numeric(array_search($cal_tmp, $cal_filelist))){
 			$cal_displayname_tmp = $cal_displaynames[array_search($cal_tmp,$cal_filelist)];
 		}else{
 			# pull the name from the $cal_tmp file
-			$cal_tmp = str_replace('webcal://','http://',$cal_tmp);
+			$cal_tmp2 = str_replace('webcal://','http://',$cal_tmp);
 
-			$ifile = @fopen($cal_tmp, "r");
+			$ifile = @fopen($cal_tmp2, "r");
 			if ($ifile == FALSE) exit(error($lang['l_error_cantopen'], $cal_tmp));
 			while (!feof($ifile)) {
 				$line = fgets($ifile, 1024);
@@ -241,7 +241,9 @@ function display_ical_list($cals, $pick=FALSE) {
 
 		// Encode the calendar path.
 		$cal_encoded_tmp = urlencode($cal_tmp);
-
+		if(in_array($cal_tmp, $list_webcals)){
+			$cal_encoded_tmp = md5($phpiCal_config->salt.$cal_tmp);;
+		}
 		// Display the option.
 		//
 		// The submitted calendar will be encoded, and always use http://
diff --git a/functions/init.inc.php b/functions/init.inc.php
index 955d45a..87f4f47 100644
--- a/functions/init.inc.php
+++ b/functions/init.inc.php
@@ -66,6 +66,10 @@ if ($cal_filenames[0] == $phpiCal_config->ALL_CALENDARS_COMBINED){
 $web_cals = array();
 $local_cals = array();
 foreach ($cal_filenames as $cal_filename) {
+	# substitute for md5-obscured list_webcals
+	foreach ($list_webcals as $tmp_cal){
+		if($cal_filename == md5($phpiCal_config->salt.$tmp_cal)) $cal_filename = $tmp_cal;
+	}
 	// If the calendar identifier begins with a web protocol, this is a web
 	// calendar.
 	$cal_filename = urldecode($cal_filename); #need to decode for substr statements to identify webcals
@@ -107,7 +111,6 @@ foreach ($web_cals as $web_cal) {
 	$cal_httpPrefix = str_replace('webcal://','http://',$web_cal);
 	$cal_httpsPrefix = str_replace('webcal://','https://',$web_cal);
 	$cal_httpsPrefix = str_replace('http://','https://',$web_cal);
-	$web_cal = $cal_httpPrefix;
 		
 	// We can only include this web calendar if we allow all web calendars
 	// (as defined by $allow_webcals) or if the web calendar shows up in the
@@ -125,11 +128,16 @@ foreach ($web_cals as $web_cal) {
 	$cal_displaynames[] = substr(basename($web_cal), 0, -4);
 	
 	// FIXME
+	echo "$web_cal<br>";
+	if(in_array($web_cal, $list_webcals)){
+		$web_cal = md5($phpiCal_config->salt.$web_cal);
+	}
 	$cals[] = urlencode($web_cal);
 	//$filename = $cal_filename;
 	$subscribe_path = $cal_webcalPrefix;
 	
 	// Add the webcal to the available calendars.
+	$web_cal = $cal_httpPrefix;
 	$cal_filelist[] = $web_cal;
 }
 
-- 
cgit v1.2.3