From 72aab7f83f03468a412c9f933059394829a45fa5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Javier=20Amor=20Garc=C3=ADa?= Date: Thu, 18 Jun 2015 18:19:02 +0200 Subject: [PATCH 1/2] ActiveSync: can be controlled by module constraint Added 'ActiveSync' module constraint. If constraint is not honored the ActiveSync request returns a forbidden (403). --- ActiveSync/SOGoActiveSyncDispatcher.m | 9 ++++++++ SoObjects/SOGo/LDAPSource.m | 2 ++ SoObjects/SOGo/SOGoUserManager.m | 33 ++++++++++++++++----------- 3 files changed, 31 insertions(+), 13 deletions(-) diff --git a/ActiveSync/SOGoActiveSyncDispatcher.m b/ActiveSync/SOGoActiveSyncDispatcher.m index 7cd0e5c53..c2f64786e 100644 --- a/ActiveSync/SOGoActiveSyncDispatcher.m +++ b/ActiveSync/SOGoActiveSyncDispatcher.m @@ -2753,6 +2753,7 @@ static BOOL debugOn = NO; NSAutoreleasePool *pool; id builder, dom; SEL aSelector; + id activeUser; NSString *cmdName, *deviceId; NSData *d; @@ -2761,6 +2762,14 @@ static BOOL debugOn = NO; ASSIGN(context, theContext); + activeUser = [context activeUser]; + if (![activeUser canAccessModule: @"ActiveSync"]) + { + [theResponse setStatus: 403]; + [self logWithFormat: @"EAS - Forbidden access for user %@", [activeUser loginInDomain]]; + return nil; + } + // Get the device ID, device type and "stash" them deviceId = [[theRequest uri] deviceId]; [context setObject: deviceId forKey: @"DeviceId"]; diff --git a/SoObjects/SOGo/LDAPSource.m b/SoObjects/SOGo/LDAPSource.m index 3ca686386..d537c6aec 100644 --- a/SoObjects/SOGo/LDAPSource.m +++ b/SoObjects/SOGo/LDAPSource.m @@ -1167,6 +1167,8 @@ groupObjectClasses: (NSArray *) newGroupObjectClasses intoLDIFRecord: (NSMutableDictionary *) ldifRecord]; [self _fillConstraints: ldapEntry forModule: @"Mail" intoLDIFRecord: (NSMutableDictionary *) ldifRecord]; + [self _fillConstraints: ldapEntry forModule: @"ActiveSync" + intoLDIFRecord: (NSMutableDictionary *) ldifRecord]; if (contactMapping) [self _applyContactMappingToResult: ldifRecord]; diff --git a/SoObjects/SOGo/SOGoUserManager.m b/SoObjects/SOGo/SOGoUserManager.m index 86d198d2b..dcabeb492 100644 --- a/SoObjects/SOGo/SOGoUserManager.m +++ b/SoObjects/SOGo/SOGoUserManager.m @@ -636,7 +636,7 @@ static Class NSNullK; [currentSource setBindPassword: _pwd]; } } - + return checkOK; } @@ -729,6 +729,12 @@ static Class NSNullK; NSNumber *isGroup; NSArray *c_emails; BOOL access; + NSEnumerator *enumerator; + NSString *access_type; + NSArray *access_types_list = [NSArray arrayWithObjects: @"CalendarAccess", + @"MailAccess", + @"ActiveSyncAccess", + nil]; emails = [NSMutableArray array]; cn = nil; @@ -738,10 +744,10 @@ static Class NSNullK; c_imaplogin = nil; c_sievehostname = nil; - [currentUser setObject: [NSNumber numberWithBool: YES] - forKey: @"CalendarAccess"]; - [currentUser setObject: [NSNumber numberWithBool: YES] - forKey: @"MailAccess"]; + enumerator = [access_types_list objectEnumerator]; + while ((access_type = [enumerator nextObject]) != nil) + [currentUser setObject: [NSNumber numberWithBool: YES] + forKey: access_type]; sogoSources = [[self authenticationSourceIDsInDomain: domain] objectEnumerator]; userEntry = nil; @@ -768,14 +774,15 @@ static Class NSNullK; c_imaplogin = [userEntry objectForKey: @"c_imaplogin"]; if (!c_sievehostname) c_sievehostname = [userEntry objectForKey: @"c_sievehostname"]; - access = [[userEntry objectForKey: @"CalendarAccess"] boolValue]; - if (!access) - [currentUser setObject: [NSNumber numberWithBool: NO] - forKey: @"CalendarAccess"]; - access = [[userEntry objectForKey: @"MailAccess"] boolValue]; - if (!access) - [currentUser setObject: [NSNumber numberWithBool: NO] - forKey: @"MailAccess"]; + + enumerator = [access_types_list objectEnumerator]; + while ((access_type = [enumerator nextObject]) != nil) + { + access = [[userEntry objectForKey: access_type] boolValue]; + if (!access) + [currentUser setObject: [NSNumber numberWithBool: NO] + forKey: access_type]; + } // We check if it's a group isGroup = [userEntry objectForKey: @"isGroup"]; From 62b16f4ef35202cbaf37a43f54e589bd051f902d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Enrique=20J=2E=20Hern=C3=A1ndez=20Blasco?= Date: Mon, 29 Jun 2015 23:50:55 +0200 Subject: [PATCH 2/2] oc: Check PidTagObjectType before dereferencing on ModifyRecipients This is crashing when the PidTagObjectType property is set for some recipient and not for others. If the property is missing, then no object type for the recipient is assumed. --- OpenChange/MAPIStoreMessage.m | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/OpenChange/MAPIStoreMessage.m b/OpenChange/MAPIStoreMessage.m index 1613171ea..b842b2d6c 100644 --- a/OpenChange/MAPIStoreMessage.m +++ b/OpenChange/MAPIStoreMessage.m @@ -202,7 +202,8 @@ rtf2html (NSData *compressedRTF) email = recipient->data[count]; break; case PidTagObjectType: - object_type = *((uint8_t*) recipient->data[count]); + if (recipient->data[count]) + object_type = *((uint8_t*) recipient->data[count]); break; case PidTagSmtpAddress: smtpAddress = recipient->data[count]; @@ -229,7 +230,7 @@ rtf2html (NSData *compressedRTF) if (object_type == MAPI_MAILUSER && recipient->username) { - /* values from user object have priority uppon the data passed for the client */ + /* values from user object have priority over data sent by the client */ recipientUser = [SOGoUser userWithLogin: [value lowercaseString]]; if (recipientUser) {