From b23752384d253c9c42a0ca62a64df99975e7722c Mon Sep 17 00:00:00 2001
From: James French <frenchie@frenchie.id.au>
Date: Mon, 4 Mar 2013 15:51:58 +0800
Subject: [PATCH] Input sanitisation

- UID must be numeric
- Key must be alphanumeric & 16 chars long
- Fixed missing vobject import
---
 fbcal.py | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/fbcal.py b/fbcal.py
index ff0dc09..8068f5e 100755
--- a/fbcal.py
+++ b/fbcal.py
@@ -22,23 +22,33 @@
 
 import sys
 import cgi
+import vobject
 import icalparse
+import re
 #import cgitb; cgitb.enable()
 
-form = cgi.FieldStorage()
+def exitQuiet(exitstate=0):
+	print('Content-Type: text/html\n')
+	sys.exit(exitstate)
 
 if __name__ == '__main__':
+	form = cgi.FieldStorage()
 	if "uid" not in form or "key" not in form:
 		print('Content-Type: text/html\n')
 		sys.exit(0)
 	try:
+		# UID should be numeric, if it's not we have someone playing games
 		uid = int(form['uid'].value)
-		key = int(form['key'].value)
 	except:
-		print('Content-Type: text/html\n')
-		sys.exit(0)
+		exitQuiet()
+
+	# The user's key will be a 16 character alphanumeric string
+	key = form['key'].value
+	re.search('[\W_]+', key) and exitQuiet()
+	len(key) == 16 or exitQuiet()
 
-	url = 'http://www.facebook.com/ical/u.php?uid=%s&key=%s'%(uid,key)
+	# Okay, we're happy that the input is sane, lets serve up some data
+	url = 'http://www.facebook.com/ical/u.php?uid=%d&key=%s'%(uid,key)
 	(content, encoding) = icalparse.getHTTPContent(url)
 
 	cal = vobject.readOne(unicode(content, encoding))
-- 
2.20.1