IWC (wcap) Allows To Create malicious Calendar Names Containing '%2F' Aka '/' (Doc ID 2214591.1)

Last updated on DECEMBER 19, 2016

Applies to:

Oracle Communications Convergence - Version 2.0 and later
Oracle Communications Calendar Server - Version 8.0.0 and later
Information in this document applies to any platform.

Goal

WCAP (IWC) allows to create 'malicious' Calendar names such as 'foo/bar' (the name containing '/' aka '/').  Such name can emit a WCAP call that in turn creates Calendar with that name on the Daverver. Is there any method to rename existing calendar from the back-end ?


Issues arise, if you try to access such a calendar using CalDav.  For example, Lightning + CalDav search + subscribe creating an URI that contains the literal 'foo/bar' but will emit a call to 'foo/bar'. In Apple calendar application we observe calls such as:

 

The Calendar app will emit error messages, effectively preventing a user from creating an account.

So, while technically, we consider these Calendar names to be outside the norm, essentially it's like begging for trouble, especially with CalDav, where the Calendar name is part of the path and not part of the query (as in WCAP).

Is there a known and reasonably 'safe' procedure to rename such a calendar ?
 

Solution

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms