Use true random string as uri for public calendars - as a result we can no longer return the pre-publish-url

Author: DeepDiver1975

apps/dav/appinfo/v1/caldav.php

@@ -47,7 +47,9 @@
 );
 $db = \OC::$server->getDatabaseConnection();
 $config = \OC::$server->getConfig();
-$calDavBackend = new CalDavBackend($db, $principalBackend, \OC::$server->getUserManager(), $config);
+$userManager = \OC::$server->getUserManager();
+$random = \OC::$server->getSecureRandom();
+$calDavBackend = new CalDavBackend($db, $principalBackend, $userManager, $config, $random);
 
 $debugging = \OC::$server->getConfig()->getSystemValue('debug', false);
 

apps/dav/lib/AppInfo/Application.php

@@ -93,12 +93,15 @@ public function __construct (array $urlParams=array()) {
 		$container->registerService('CalDavBackend', function($c) {
 			/** @var IAppContainer $c */
 			$db = $c->getServer()->getDatabaseConnection();
+			$userManager = $c->getServer()->getUserManager();
 			$config = $c->getServer()->getConfig();
+			$random = $c->getServer()->getSecureRandom();
+
 			$principal = new Principal(
 				$c->getServer()->getUserManager(),
 				$c->getServer()->getGroupManager()
 			);
-			return new CalDavBackend($db, $principal, $c->getServer()->getUserManager(), $config);
+			return new CalDavBackend($db, $principal, $userManager, $config, $random);
 		});
 
 		$container->registerService('BirthdayService', function($c) {

apps/dav/lib/CalDAV/CalDavBackend.php

@@ -33,6 +33,7 @@
 use OCP\IDBConnection;
 use OCP\IUser;
 use OCP\IUserManager;
+use OCP\Security\ISecureRandom;
 use Sabre\CalDAV\Backend\AbstractBackend;
 use Sabre\CalDAV\Backend\SchedulingSupport;
 use Sabre\CalDAV\Backend\SubscriptionSupport;
@@ -124,23 +125,29 @@ class CalDavBackend extends AbstractBackend implements SyncSupport, Subscription
 	/** @var IConfig */
 	private $config;
 
+	/** @var ISecureRandom */
+	private $random;
+
 	/**
 	 * CalDavBackend constructor.
 	 *
 	 * @param IDBConnection $db
 	 * @param Principal $principalBackend
 	 * @param IUserManager $userManager
 	 * @param IConfig $config
+	 * @param ISecureRandom $random
 	 */
 	public function __construct(IDBConnection $db,
 								Principal $principalBackend,
 								IUserManager $userManager,
-								IConfig $config) {
+								IConfig $config,
+								ISecureRandom $random) {
 		$this->db = $db;
 		$this->principalBackend = $principalBackend;
 		$this->userManager = $userManager;
 		$this->sharingBackend = new Backend($this->db, $principalBackend, 'calendar');
 		$this->config = $config;
+		$this->random = $random;
 	}
 
 	/**
@@ -400,10 +407,9 @@ public function getPublicCalendar($uri) {
 		if ($row['components']) {
 			$components = explode(',',$row['components']);
 		}
-		$uri = md5($this->config->getSystemValue('secret', '') . $row['id']);
 		$calendar = [
 			'id' => $row['id'],
-			'uri' => $uri,
+			'uri' => $row['publicuri'],
 			'principaluri' => $row['principaluri'],
 			'{' . Plugin::NS_CALENDARSERVER . '}getctag' => 'http://sabre.io/ns/sync/' . ($row['synctoken']?$row['synctoken']:'0'),
 			'{http://sabredav.org/ns}sync-token' => $row['synctoken']?$row['synctoken']:'0',
@@ -1594,24 +1600,28 @@ public function getShares($resourceId) {
 	/**
 	 * @param boolean $value
 	 * @param \OCA\DAV\CalDAV\Calendar $calendar
+	 * @return string|null
 	 */
 	public function setPublishStatus($value, $calendar) {
 		$query = $this->db->getQueryBuilder();
 		if ($value) {
+			$publicUri = $this->random->generate(16, ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_DIGITS);
 			$query->insert('dav_shares')
 				->values([
 					'principaluri' => $query->createNamedParameter($calendar->getPrincipalURI()),
 					'type' => $query->createNamedParameter('calendar'),
 					'access' => $query->createNamedParameter(self::ACCESS_PUBLIC),
 					'resourceid' => $query->createNamedParameter($calendar->getResourceId()),
-					'publicuri' => $query->createNamedParameter(md5($this->config->getSystemValue('secret', '') . $calendar->getResourceId()))
+					'publicuri' => $query->createNamedParameter($publicUri)
 				]);
-		} else {
-			$query->delete('dav_shares')
-				->where($query->expr()->eq('resourceid', $query->createNamedParameter($calendar->getResourceId())))
-				->andWhere($query->expr()->eq('access', $query->createNamedParameter(self::ACCESS_PUBLIC)));
+			$query->execute();
+			return $publicUri;
 		}
+		$query->delete('dav_shares')
+			->where($query->expr()->eq('resourceid', $query->createNamedParameter($calendar->getResourceId())))
+			->andWhere($query->expr()->eq('access', $query->createNamedParameter(self::ACCESS_PUBLIC)));
 		$query->execute();
+		return null;
 	}
 
 	/**

apps/dav/lib/CalDAV/Calendar.php

@@ -252,9 +252,12 @@ function calendarQuery(array $filters) {
 
 	/**
 	 * @param boolean $value
+	 * @return string|null
 	 */
 	function setPublishStatus($value) {
-		$this->caldavBackend->setPublishStatus($value, $this);
+		$publicUri = $this->caldavBackend->setPublishStatus($value, $this);
+		$this->calendarInfo['publicuri'] = $publicUri;
+		return $publicUri;
 	}
 
 	/**

apps/dav/lib/CalDAV/Publishing/PublishPlugin.php

@@ -94,22 +94,16 @@ public function initialize(Server $server) {
 
 	public function propFind(PropFind $propFind, INode $node) {
 		if ($node instanceof Calendar) {
-			$token = md5($this->config->getSystemValue('secret', '').$node->getResourceId());
-
-			$publishUrl = $this->urlGenerator->getAbsoluteURL($this->server->getBaseUri().'public-calendars/').$token;
-
-			$propFind->handle('{'.self::NS_CALENDARSERVER.'}publish-url', function () use ($node, $publishUrl) {
+			$propFind->handle('{'.self::NS_CALENDARSERVER.'}publish-url', function () use ($node) {
 				if ($node->getPublishStatus()) {
 					// We return the publish-url only if the calendar is published.
+					$token = $node->getName();
+					$publishUrl = $this->urlGenerator->getAbsoluteURL($this->server->getBaseUri().'public-calendars/').$token;
+
 					return new Publisher($publishUrl, true);
 				}
 			});
 
-			$propFind->handle('{'.self::NS_CALENDARSERVER.'}pre-publish-url', function () use ($node, $publishUrl) {
-				// The pre-publish-url is always returned
-				return new Publisher($publishUrl, false);
-			});
-
 			$propFind->handle('{'.self::NS_CALENDARSERVER.'}allowed-sharing-modes', function() use ($node) {
 				return new AllowedSharingModes(!$node->isSubscription(), !$node->isSubscription());
 			});

apps/dav/lib/Command/CreateCalendar.php

@@ -76,9 +76,10 @@ protected function execute(InputInterface $input, OutputInterface $output) {
 			$this->groupManager
 		);
 		$config = \OC::$server->getConfig();
+		$random = \OC::$server->getSecureRandom();
 
 		$name = $input->getArgument('name');
-		$caldav = new CalDavBackend($this->dbConnection, $principalBackend, $this->userManager, $config);
+		$caldav = new CalDavBackend($this->dbConnection, $principalBackend, $this->userManager, $config, $random);
 		$caldav->createCalendar("principals/users/$user", $name, []);
 	}
 }

apps/dav/lib/DAV/PublicAuth.php

@@ -86,10 +86,6 @@ function challenge(RequestInterface $request, ResponseInterface $response) {
 	 * @return bool
 	 */
 	private function isRequestPublic(RequestInterface $request) {
-		$params = $request->getQueryParameters();
-		if (isset($params['sabreAction']) && $params['sabreAction'] == 'asset') {
-			return true;
-		}
 		$url = $request->getPath();
 		$matchingUrls = array_filter($this->publicURLs, function ($publicUrl) use ($url) {
 			return strpos($url, $publicUrl, 0) === 0;

apps/dav/lib/RootCollection.php

@@ -39,10 +39,12 @@ class RootCollection extends SimpleCollection {
 
 	public function __construct() {
 		$config = \OC::$server->getConfig();
+		$random = \OC::$server->getSecureRandom();
+		$userManager = \OC::$server->getUserManager();
 		$db = \OC::$server->getDatabaseConnection();
 		$dispatcher = \OC::$server->getEventDispatcher();
 		$userPrincipalBackend = new Principal(
-			\OC::$server->getUserManager(),
+			$userManager,
 			\OC::$server->getGroupManager()
 		);
 		$groupPrincipalBackend = new GroupPrincipalBackend(
@@ -60,7 +62,7 @@ public function __construct() {
 		$systemPrincipals->disableListing = $disableListing;
 		$filesCollection = new Files\RootCollection($userPrincipalBackend, 'principals/users');
 		$filesCollection->disableListing = $disableListing;
-		$caldavBackend = new CalDavBackend($db, $userPrincipalBackend, \OC::$server->getUserManager(), $config);
+		$caldavBackend = new CalDavBackend($db, $userPrincipalBackend, $userManager, $config, $random);
 		$calendarRoot = new CalendarRoot($userPrincipalBackend, $caldavBackend, 'principals/users');
 		$calendarRoot->disableListing = $disableListing;
 		$publicCalendarRoot = new PublicCalendarRoot($caldavBackend);

apps/dav/tests/unit/CalDAV/AbstractCalDavBackendTest.php

@@ -29,6 +29,7 @@
 use OCA\DAV\Connector\Sabre\Principal;
 use OCP\IL10N;
 use OCP\IConfig;
+use OCP\Security\ISecureRandom;
 use Sabre\CalDAV\Xml\Property\SupportedCalendarComponentSet;
 use Sabre\DAV\PropPatch;
 use Sabre\DAV\Xml\Property\Href;
@@ -56,6 +57,9 @@ abstract class AbstractCalDavBackendTest extends TestCase {
 	/** var OCP\IConfig */
 	protected $config;
 
+	/** @var ISecureRandom */
+	private $random;
+
 	const UNIT_TEST_USER = 'principals/users/caldav-unit-test';
 	const UNIT_TEST_USER1 = 'principals/users/caldav-unit-test1';
 	const UNIT_TEST_GROUP = 'principals/groups/caldav-unit-test-group';
@@ -80,8 +84,8 @@ public function setUp() {
 
 		$db = \OC::$server->getDatabaseConnection();
 		$this->config = \OC::$server->getConfig();
-		$this->backend = new CalDavBackend($db, $this->principal, $this->userManager, $this->config);
-
+		$this->random = \OC::$server->getSecureRandom();
+		$this->backend = new CalDavBackend($db, $this->principal, $this->userManager, $this->config, $this->random);
 		$this->tearDown();
 	}
 

apps/dav/tests/unit/CalDAV/CalDavBackendTest.php

@@ -350,7 +350,7 @@ public function testPublications() {
 		$this->assertEquals(1, count($publicCalendars));
 		$this->assertEquals(true, $publicCalendars[0]['{http://owncloud.org/ns}public']);
 
-		$publicCalendarURI = md5($this->config->getSystemValue('secret', '') . $calendar->getResourceId());
+		$publicCalendarURI = $publicCalendars[0]['uri'];
 		$publicCalendar = $this->backend->getPublicCalendar($publicCalendarURI);
 		$this->assertEquals(true, $publicCalendar['{http://owncloud.org/ns}public']);