No Import from Servers via reserved IP adresses

  • You wrote here:

    room34 wrote: @abecker The problem you’re describing is different from what this thread was about. This is a new issue, introduced by the security changes added in version 10.12.0.4. This will affect any setup that is retrieving the calendar from a reserved IP address range (i.e. an internal network address). This restriction was a necessary addition to meet security requirements, however I am looking into ways I can add back in legitimate access to reserved IP addresses without reopening the security hole that previously existed. In the meantime, I have a couple of workarounds. Both are fairly technical. The preferred method is to add an entry to your web server’s /etc/hosts file that points to the public/external IP address of your Exchange server. (The other method just reopens the security hole, so I am not going to describe it here.)

    After I edited my /etc/host in the way you told, the calendar import works again. But know the mail of the webserver doesn’t work anymore, because the mailserver (same MS Exchange server as the calendar) can only be reached by the internal IP.

    What is the second method?

Viewing 9 replies - 1 through 9 (of 9 total)
  • Plugin Author room34

    (@room34)

    The second method reopens the security holes the changes were designed to fix, so I’m not going to outline it here. However, there is a solution available now in the beta version of the next update, which is checked into the repository. (The final release of this update is coming this week.)

    The new version includes a hook you can use to specify a set of internally-resolved domains that should ICS Calendar should be allowed to access. The code is documented here.

    Hi,

    I have the same problem. I only have the ICS available internally (acutally it’s on the same host but different port). Since the update the calendar is not shown anymore. There is also no error message in the debug – just an empty array for the ICS data.
    I tried the linked FAQ with the beta (is it new, than the 10.12.2 final?) but this does not change anything. I wrote my own plugin for the http_request and also used the “Allowed hosts” plugin. Both did not change anything…

    Is this working for someone else?

    I am actually suprised that even if I go to older version (10.12.0.3) it does not start working again ??

    Best
    Jan

    Plugin Author room34

    (@room34)

    @gebauer To address the last item first: Due to the security concerns with this fix, the change has been backported to all available versions in the repository.

    The fix in 10.12.2 should be working. Please have another look at the documentation. If you’re not able to get it going, I may need you to send me the exact PHP code you’re using in your plugin. You can email it to the address on the ICS Calendar admin page.

    It’s good to know about the backports; it seriously confused me. Didn’t think that older version were retro-actively changed.

    Just to make sure: The Fix should work in the current 10.12.2 final? (not only beta)?

    Best
    Jan

    Plugin Author room34

    (@room34)

    @gebauer Yes, the fix is in the final release of 10.12.2. I had forgotten to update the documentation to remove the mention of the beta.

    Normally I do not backport any changes, but I wanted to be sure there were no publicly available ways to download versions that had the security issue.

    • This reply was modified 1 year, 3 months ago by room34.
    Thread Starter abecker

    (@abecker)

    I installed version 10.12.2 but the problem persist.

    The internal IP of our Exchange Server is 172.16.1.13. What shall I do after installing? I’m not a programmer.

    Plugin Author room34

    (@room34)

    @abecker Did you also add the code to your theme as described in the documentation? The update in 10.12.2 makes it possible to access internal IP addresses, but you do still need to use the hook and add your list of allowed domains.

    In the future I may add an admin setting that lets you just enter a list of the domains you want to allow, rather than having to use a custom PHP code snippet. I just need to make sure that I’m not re-opening the security hole in the process.

    Thread Starter abecker

    (@abecker)

    There’s not written, where I have to put the code into my theme. I’m not a programmer. I did it now by try and error and it works.

    Plugin Author room34

    (@room34)

    It should go in the functions.php file. I’ll add that to the docs.

Viewing 9 replies - 1 through 9 (of 9 total)
  • The topic ‘No Import from Servers via reserved IP adresses’ is closed to new replies.