From 6bdbb8f7ae793f146d98fdf63e7e037f37847bed Mon Sep 17 00:00:00 2001 From: Jim Hu Date: Sun, 28 Dec 2008 11:55:43 +0000 Subject: obfuscate list_webcals links to hide user:pass (bug 1819552) --- functions/calendar_functions.php | 12 +++++++----- functions/init.inc.php | 10 +++++++++- 2 files changed, 16 insertions(+), 6 deletions(-) (limited to 'functions') diff --git a/functions/calendar_functions.php b/functions/calendar_functions.php index 48bc9ba..8f02bd7 100644 --- a/functions/calendar_functions.php +++ b/functions/calendar_functions.php @@ -184,7 +184,7 @@ function getCalendarName($cal_path) { // // $cals = The calendars (entire path, e.g. from availableCalendars). function display_ical_list($cals, $pick=FALSE) { - global $cal, $current_view, $getdate, $lang, $calendar_lang, $all_cal_comb_lang, $cal_filelist, $cal_displaynames, $phpiCal_config; + global $cal, $current_view, $getdate, $lang, $calendar_lang, $all_cal_comb_lang, $cal_filelist, $cal_displaynames, $list_webcals, $phpiCal_config; // Print each calendar option. $return = ''; foreach ($cals as $cal_tmp) { @@ -193,15 +193,15 @@ function display_ical_list($cals, $pick=FALSE) { // Only display the calendar name, replace all instances of "32" with " ", // and remove the .ics suffix. $cal_displayname_tmp = getCalendarName($cal_tmp); - $cal_displayname_tmp = str_replace("32", " ", $cal_displayname_tmp); + #$cal_displayname_tmp = str_replace("32", " ", $cal_displayname_tmp); #overwrite the display name if we already have a real name if (is_numeric(array_search($cal_tmp, $cal_filelist))){ $cal_displayname_tmp = $cal_displaynames[array_search($cal_tmp,$cal_filelist)]; }else{ # pull the name from the $cal_tmp file - $cal_tmp = str_replace('webcal://','http://',$cal_tmp); + $cal_tmp2 = str_replace('webcal://','http://',$cal_tmp); - $ifile = @fopen($cal_tmp, "r"); + $ifile = @fopen($cal_tmp2, "r"); if ($ifile == FALSE) exit(error($lang['l_error_cantopen'], $cal_tmp)); while (!feof($ifile)) { $line = fgets($ifile, 1024); @@ -241,7 +241,9 @@ function display_ical_list($cals, $pick=FALSE) { // Encode the calendar path. $cal_encoded_tmp = urlencode($cal_tmp); - + if(in_array($cal_tmp, $list_webcals)){ + $cal_encoded_tmp = md5($phpiCal_config->salt.$cal_tmp);; + } // Display the option. // // The submitted calendar will be encoded, and always use http:// diff --git a/functions/init.inc.php b/functions/init.inc.php index 955d45a..87f4f47 100644 --- a/functions/init.inc.php +++ b/functions/init.inc.php @@ -66,6 +66,10 @@ if ($cal_filenames[0] == $phpiCal_config->ALL_CALENDARS_COMBINED){ $web_cals = array(); $local_cals = array(); foreach ($cal_filenames as $cal_filename) { + # substitute for md5-obscured list_webcals + foreach ($list_webcals as $tmp_cal){ + if($cal_filename == md5($phpiCal_config->salt.$tmp_cal)) $cal_filename = $tmp_cal; + } // If the calendar identifier begins with a web protocol, this is a web // calendar. $cal_filename = urldecode($cal_filename); #need to decode for substr statements to identify webcals @@ -107,7 +111,6 @@ foreach ($web_cals as $web_cal) { $cal_httpPrefix = str_replace('webcal://','http://',$web_cal); $cal_httpsPrefix = str_replace('webcal://','https://',$web_cal); $cal_httpsPrefix = str_replace('http://','https://',$web_cal); - $web_cal = $cal_httpPrefix; // We can only include this web calendar if we allow all web calendars // (as defined by $allow_webcals) or if the web calendar shows up in the @@ -125,11 +128,16 @@ foreach ($web_cals as $web_cal) { $cal_displaynames[] = substr(basename($web_cal), 0, -4); // FIXME + echo "$web_cal
"; + if(in_array($web_cal, $list_webcals)){ + $web_cal = md5($phpiCal_config->salt.$web_cal); + } $cals[] = urlencode($web_cal); //$filename = $cal_filename; $subscribe_path = $cal_webcalPrefix; // Add the webcal to the available calendars. + $web_cal = $cal_httpPrefix; $cal_filelist[] = $web_cal; } -- cgit v1.2.3