Tickets :: [#11538] Embedding calendars broken

6.0.0-beta1

7/5/25

Summary	Embedding calendars broken
Queue	Kronolith
Queue Version	Git master
Type	Bug
State	Resolved
Priority	3. High
Owners	mrubinsk (at) horde (dot) org, slusarz (at) horde (dot) org
Requester	mrubinsk (at) horde (dot) org
Created	10/17/2012 (4644 days ago)
Due
Updated	03/28/2013 (4482 days ago)
Assigned
Resolved	10/17/2012 (4644 days ago)
Github Issue Link
Github Pull Request
Milestone	4
Patch	No

03/28/2013 06:44:35 PM	Git Commit	Comment #14	Reply to this comment
Changes have been made in Git (master): commit 2884204d9b175d8729c1e662ba53cbeb9c03e7e6 Author: Michael M Slusarz <slusarz@horde.org> Date: Thu Mar 28 11:58:10 2013 -0600 [mms] SECURITY: Fix token validation of AJAX actions. Mea culpa. This commit broke things: commit 83dcfa1448ba2b142623839aee78a2160eb25cb0 Author: Michael M Slusarz <slusarz@horde.org> Date: Wed Oct 17 13:27:10 2012 -0600 [mms] Allow AJAX handler methods to be marked externally accessible (i.e. no session token checking) (~~Bug #11538~~). This commit failed to extend the injector to pass the token argument to the AJAX Application handler. Although we should always do this check, regardless of whether the token is empty anyway. framework/Core/lib/Horde/Core/Ajax/Application.php \| 5 ++--- framework/Core/lib/Horde/Core/Factory/Ajax.php \| 5 +++-- framework/Core/package.xml \| 2 ++ 3 files changed, 7 insertions(+), 5 deletions(-) http://git.horde.org/horde-git/-/commit/2884204d9b175d8729c1e662ba53cbeb9c03e7e6

10/27/2012 12:57:39 AM	Git Commit	Comment #13	Reply to this comment
Changes have been made in Git (develop): commit d34e93dd8aba2e0d4855a2c1e46569801f4b91f8 Author: Michael J Rubinsky <mrubinsk@horde.org> Date: Wed Oct 17 15:55:16 2012 -0400 Allow the embed method to be called without a token. Final bit of ~~Bug: 11538~~ kronolith/lib/Ajax/Application/Handler.php \| 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) http://git.horde.org/horde-git/-/commit/d34e93dd8aba2e0d4855a2c1e46569801f4b91f8

10/27/2012 12:57:35 AM	Git Commit	Comment #12	Reply to this comment
Changes have been made in Git (develop): commit 83dcfa1448ba2b142623839aee78a2160eb25cb0 Author: Michael M Slusarz <slusarz@horde.org> Date: Wed Oct 17 13:27:10 2012 -0600 [mms] Allow AJAX handler methods to be marked externally accessible (i.e. no session token checking) (~~Bug #11538~~). framework/Core/lib/Horde/Core/Ajax/Application.php \| 20 +++++++++++++++++--- .../lib/Horde/Core/Ajax/Application/Handler.php \| 20 ++++++++++++++++++++ framework/Core/package.xml \| 2 ++ horde/services/ajax.php \| 13 ++++++------- 4 files changed, 45 insertions(+), 10 deletions(-) http://git.horde.org/horde-git/-/commit/83dcfa1448ba2b142623839aee78a2160eb25cb0

10/27/2012 12:57:05 AM	Git Commit	Comment #11	Reply to this comment
Changes have been made in Git (develop): commit 7f2d0403cbe97f528f9adb2b14cd4a47e2f9a24f Author: Michael J Rubinsky <mrubinsk@horde.org> Date: Wed Oct 17 11:51:46 2012 -0400 $container is already quoted by the serialization. Partial fix for ~~Bug: 11538~~ kronolith/lib/Ajax/Application/Handler.php \| 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) http://git.horde.org/horde-git/-/commit/7f2d0403cbe97f528f9adb2b14cd4a47e2f9a24f

10/27/2012 12:56:56 AM	Git Commit	Comment #10	Reply to this comment
Changes have been made in Git (develop): commit d2531c6925c0572b5b93eeb1e7cf08989754c284 Author: Michael J Rubinsky <mrubinsk@horde.org> Date: Wed Oct 17 11:17:38 2012 -0400 There is no Horde_Core_Ajax_Response_Javascript. Use raw output with proper content type. Partial fix for ~~Bug: 11538~~ kronolith/lib/Ajax/Application/Handler.php \| 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) http://git.horde.org/horde-git/-/commit/d2531c6925c0572b5b93eeb1e7cf08989754c284

10/17/2012 07:56:24 PM	Michael Rubinsky	State ⇒ Resolved

10/17/2012 07:55:57 PM	Git Commit	Comment #9	Reply to this comment
Changes have been made in Git (master): commit d34e93dd8aba2e0d4855a2c1e46569801f4b91f8 Author: Michael J Rubinsky <mrubinsk@horde.org> Date: Wed Oct 17 15:55:16 2012 -0400 Allow the embed method to be called without a token. Final bit of ~~Bug: 11538~~ kronolith/lib/Ajax/Application/Handler.php \| 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) http://git.horde.org/horde-git/-/commit/d34e93dd8aba2e0d4855a2c1e46569801f4b91f8

10/17/2012 07:33:06 PM	Michael Slusarz	Comment #8	Reply to this comment
You need to identify the AJAX methods that can be accessed externally in the _external() array in the AJAX Handler. Make sure that these externally marked AJAX methods are not accessed internally, or else you defeat the whole purpose of the token checking.

10/17/2012 07:30:26 PM	Git Commit	Comment #7	Reply to this comment
Changes have been made in Git (master): commit 83dcfa1448ba2b142623839aee78a2160eb25cb0 Author: Michael M Slusarz <slusarz@horde.org> Date: Wed Oct 17 13:27:10 2012 -0600 [mms] Allow AJAX handler methods to be marked externally accessible (i.e. no session token checking) (~~Bug #11538~~). framework/Core/lib/Horde/Core/Ajax/Application.php \| 20 +++++++++++++++++--- .../lib/Horde/Core/Ajax/Application/Handler.php \| 20 ++++++++++++++++++++ framework/Core/package.xml \| 2 ++ horde/services/ajax.php \| 13 ++++++------- 4 files changed, 45 insertions(+), 10 deletions(-) http://git.horde.org/horde-git/-/commit/83dcfa1448ba2b142623839aee78a2160eb25cb0

10/17/2012 03:54:13 PM	Michael Rubinsky	Comment #6	Reply to this comment
The token issue is now the only remaining problem with this ticket.

10/17/2012 03:53:48 PM	Git Commit	Comment #5	Reply to this comment
Changes have been made in Git (master): commit 7f2d0403cbe97f528f9adb2b14cd4a47e2f9a24f Author: Michael J Rubinsky <mrubinsk@horde.org> Date: Wed Oct 17 11:51:46 2012 -0400 $container is already quoted by the serialization. Partial fix for ~~Bug: 11538~~ kronolith/lib/Ajax/Application/Handler.php \| 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) http://git.horde.org/horde-git/-/commit/7f2d0403cbe97f528f9adb2b14cd4a47e2f9a24f

10/17/2012 03:27:15 PM	Michael Rubinsky	Comment #4 Priority ⇒ 3. High	Reply to this comment
Bumping priority since this is a show stopper.

10/17/2012 03:26:01 PM	Michael Rubinsky	Comment #3 Assigned to Michael Slusarz	Reply to this comment
Part of the remaining problem with this is that all Ajax requests now require a valid token. The token validity depends on the token still being in the session. (One of) the problems here is that the URL for embedding the content is generated inside a user's valid session, but the content will most likely be viewed outside of ANY authenticated session, let alone the same session the URL was generated in. Bringing Michael S. in on this since he made the token requirement changes.

10/17/2012 03:20:48 PM	Git Commit	Comment #2	Reply to this comment
Changes have been made in Git (master): commit d2531c6925c0572b5b93eeb1e7cf08989754c284 Author: Michael J Rubinsky <mrubinsk@horde.org> Date: Wed Oct 17 11:17:38 2012 -0400 There is no Horde_Core_Ajax_Response_Javascript. Use raw output with proper content type. Partial fix for ~~Bug: 11538~~ kronolith/lib/Ajax/Application/Handler.php \| 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) http://git.horde.org/horde-git/-/commit/d2531c6925c0572b5b93eeb1e7cf08989754c284

10/17/2012 01:42:48 PM	Michael Rubinsky	Comment #1 State ⇒ Assigned Patch ⇒ No Milestone ⇒ 4 Assigned to Michael Rubinsky Queue ⇒ Kronolith Summary ⇒ Embedding calendars broken Type ⇒ Bug Priority ⇒ 2. Medium	Reply to this comment
Embedding calendars into external websites is currently broken.