search

humhub / calendar

Create one-time or recurring events, invite and manage attendees, and keep track of all your events with the Calendar module.
28 stars 46 forks source link

Bug on entry URL for recurrent events since version 1.5.3 #425

Closed marc-farre closed 11 months ago

marc-farre commented 11 months ago

Since Calendar version 1.5.3, I'm receiving errors from the log about recurring events.

I cannot reproduce the bug, but it occurs on several Humhub instance and from a guest or a cron job (I don't know). Full log bellow.

The bug is created because somewhere in the code, the CalendarEntry->getUrl() function is called to create the URL of a calendar entry (a recurrent one) and an apostrophe is added to each URL param.

The URL gets like this (see the %27 added):

/s/my-space/calendar/entry/view-recurrence?id=1395%27&parent_id=1351%27&recurrence_id=20231211T183000%27

When I click on the event in the calendar view, the URL is correct. Even as a guest. And the cal=1 URL param is added. Here this cal=1 is not present, so it must be somewhere else than in the full calendar view.

Exception: Failed to parse time string (20231211T183000') at position
15 ('): Unexpected character in
/var/www/humhub/protected/modules/calendar/models/recurrence/CalendarRecurrenceExpand.php:105
Stack trace:
#0
/var/www/humhub/protected/modules/calendar/models/recurrence/CalendarRecurrenceExpand.php(105):
DateTime->__construct()
#1
/var/www/humhub/protected/modules/calendar/interfaces/recurrence/AbstractRecurrenceQuery.php(92):
humhub\modules\calendar\models\recurrence\CalendarRecurrenceExpand::expandSingle()
#2
/var/www/humhub/protected/modules/calendar/controllers/EntryController.php(97):
humhub\modules\calendar\interfaces\recurrence\AbstractRecurrenceQuery->expandSingle()
#3 [internal function]:
humhub\modules\calendar\controllers\EntryController->actionViewRecurrence()
#4
/var/www/humhub/protected/vendor/yiisoft/yii2/base/InlineAction.php(57):
call_user_func_array()
#5
/var/www/humhub/protected/vendor/yiisoft/yii2/base/Controller.php(178):
yii\base\InlineAction->runWithParams()
#6
/var/www/humhub/protected/vendor/yiisoft/yii2/base/Module.php(552):
yii\base\Controller->runAction()
#7
/var/www/humhub/protected/vendor/yiisoft/yii2/web/Application.php(103):
yii\base\Module->runAction()
#8
/var/www/humhub/protected/vendor/yiisoft/yii2/base/Application.php(384):
yii\web\Application->handleRequest()
#9 /var/www/humhub/index.php(25):
yii\base\Application->run()
#10 {main}
2023-09-23 12:32:01
[20.163.28.230][-][4i41klegsu19ebo9iu4d2s45tf][info][application]
$_GET = [
'id' => '1395\''
'parent_id' => '1351\''
'recurrence_id' => '20231211T183000\''
'cguid' => 'ea44237e-f04b-4a79-8cf1-58123b1cd84c'
]

$_POST = []

$_FILES = []

$_SERVER = [
'REDIRECT_SCRIPT_URL' =>
'/s/my-space/calendar/entry/view-recurrence'
'REDIRECT_SCRIPT_URI' =>
'https://www.my-humhub.com/s/my-space/calendar/entry/view-recurrence'
'REDIRECT_HTTPS' => 'on'
'REDIRECT_SSL_TLS_SNI' => 'www.my-humhub.com'
'REDIRECT_STATUS' => '200'
'SCRIPT_URL' => '/s/my-space/calendar/entry/view-recurrence'
'SCRIPT_URI' =>
'https://www.my-humhub.com/s/my-space/calendar/entry/view-recurrence'

'
'REDIRECT_URL' =>
'/s/my-space/calendar/entry/view-recurrence'
'REDIRECT_QUERY_STRING' =>
'id=1395%27&parent_id=1351%27&recurrence_id=20231211T183000%27'
'GATEWAY_INTERFACE' => 'CGI/1.1'
'SERVER_PROTOCOL' => 'HTTP/1.1'
'REQUEST_METHOD' => 'GET'
'QUERY_STRING' =>
'id=1395%27&parent_id=1351%27&recurrence_id=20231211T183000%27'
'REQUEST_URI' =>
'/s/my-space/calendar/entry/view-recurrence?id=1395%27&parent_id=1351%27&recurrence_id=20231211T183000%27'
'SCRIPT_NAME' => '/index.php'
'PHP_SELF' => '/index.php'
'REQUEST_TIME_FLOAT' => 1695465121.2169
'REQUEST_TIME' => 1695465121
]
yurabakhtin commented 11 months ago

@marc-farre I cannot find what code may adds an apostrophe to each param. Do you have this issue in log only for the url /s/my-space/calendar/entry/view-recurrence or maybe some other urls have the same? I am thinking what if it is not an error but it is a result of scan by some hack tool to find a vulnerability with sql injection...

marc-farre commented 11 months ago

Thanks @yurabakhtin for your investigation.

Yes, always for /s/my-space/calendar/entry/view-recurrence URL.

I've checked the IP and they come from USA and Germany, so I couldn't tell if its a machine owned by a hacker or not, but could be (the instances are french).

What made me think it may be a bug is that I'm receiving them since the update to version 1.5.3 which has changes for recurring events:

Anyway, I'll close this issue and we can reopen it if it's becoming more problematic or if other users have the same problem.

yurabakhtin commented 11 months ago

@marc-farre Thank you for the info, yes please tell us again if you will have the similar issues.