Convergence (wcap) Allows To Create malicious Calendar Names Containing '%2F' Aka '/'
(Doc ID 2214591.1)
Last updated on APRIL 26, 2021
Applies to:
Oracle Communications Convergence - Version 2.0 and laterOracle Communications Calendar Server - Version 8.0.0 and later
Information in this document applies to any platform.
Goal
WCAP (Convergence) allows to create 'malicious' Calendar names such as 'foo/bar' (the name containing '/' aka '/'). Such name can emit a WCAP call that in turn creates Calendar with that name on the Daverver. Is there any method to rename existing calendar from the back-end ?
Issues arise, if you try to access such a calendar using CalDav. For example, Lightning + CalDav search + subscribe creating an URI that contains the literal 'foo/bar' but will emit a call to 'foo/bar'. In IOS calendar application we observe calls such as:
The Calendar app will emit error messages, effectively preventing a user from creating an account.
So, while technically, we consider these Calendar names to be outside the norm, essentially it's like begging for trouble, especially with CalDav, where the Calendar name is part of the path and not part of the query (as in WCAP).
Is there a known and reasonably 'safe' procedure to rename such a calendar ?
Solution
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
| Goal |
| Solution |
| References |