From b5c83f58393e31151939d0d6fc227c0d0f127f33 Mon Sep 17 00:00:00 2001 From: Hivert Quentin Date: Tue, 26 May 2026 10:30:02 +0200 Subject: [PATCH 1/2] fix(event): clean import of event --- SoObjects/Appointments/SOGoAppointmentFolder.m | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/SoObjects/Appointments/SOGoAppointmentFolder.m b/SoObjects/Appointments/SOGoAppointmentFolder.m index f18c7ad77..f958eab51 100644 --- a/SoObjects/Appointments/SOGoAppointmentFolder.m +++ b/SoObjects/Appointments/SOGoAppointmentFolder.m @@ -3521,6 +3521,15 @@ firstInstanceCalendarDateRange: (NGCalendarDateRange *) fir timezone = nil; element = [components objectAtIndex: i]; + //remove all attenddees, change organisator and change uid + //If we do not clean up, any user could impersonate someone by importing a malicious .ics + //and send notificaitons to attenddes or remove their event (as SOGo think the user has the rights to do so) + [element removeAllAttendees]; + [element setOrganizer: nil]; + [element setUid: [self globallyUniqueObjectId]]; + + + if ([element isKindOfClass: iCalEventK]) { event = (iCalEvent *)element; From 97bbd7ed7f8173894f01b259f2f0f539ad6e95ed Mon Sep 17 00:00:00 2001 From: Hivert Quentin Date: Thu, 28 May 2026 14:57:59 +0200 Subject: [PATCH 2/2] fix(tool): wrong method called --- Tools/SOGoToolRenameUser.m | 1 - 1 file changed, 1 deletion(-) diff --git a/Tools/SOGoToolRenameUser.m b/Tools/SOGoToolRenameUser.m index 69399ec7a..3849c1bb8 100644 --- a/Tools/SOGoToolRenameUser.m +++ b/Tools/SOGoToolRenameUser.m @@ -584,7 +584,6 @@ [self _updateForeignSubscriptionsFromUser: oldUserID toUser: newUserID]; [self _updateLocalACLsFromUser: oldUserID toUser: newUserID]; [self _updateForeignACLsFromUser: oldUserID toUser: newUserID]; - [self _updateOldUserIDDefaultAndSettings: oldUserID toUser: newUserID]; rc = YES; }