icalendar 2.12.0 → 2.12.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9aaf6132f4baffabc0b6a45fb4a1a5049e58b4ca264eddaac67648575e6702c6
-  data.tar.gz: ac0ee8ac873a3a9d97ad8914aa6f2bf3edb545f1d58d0d152988850cce9fca07
+  metadata.gz: ad06e861392ab70f0e800ac4f2a6b81f019aaf3548a35e513f02bcc975968b86
+  data.tar.gz: 16562bdeae817fc8afd4e0b6de7090a42c0b095cb56640d5b9183cfb3a07bb74
 SHA512:
-  metadata.gz: a330a0e6568705cc448eef9090d54c72b59fc78fec537ca715523689b5954875c76e0a16957ec344bce71fcb4b8f1f9e62af7c57591eef49d4682acee431a3e1
-  data.tar.gz: 2f49d14ad8759d16324a04f1472eee65e05fc5a1a9167ab5a93da5e2cdddab11cd8a61bad95718533747f10f7f8bf4b7a664e67e8b743d0cf490a1657f55dcdd
+  metadata.gz: 927cd1536b413039b75f4c2a100ca169bb17897c10754b4806762d341aaa4b7800fc93e7bc81566681a678a853fefc0d54fad5fdd0316c10f0245f91864d2faf
+  data.tar.gz: 5d9c09347062a5dd73ad23cd75905c5508b8a72ce0447241ee282fa6bbcc7d259e4a26309fc90af718f14f14b18ca78403bc849898b42147c5368ae6edb21d13

data/CHANGELOG.md

@@ -1,5 +1,11 @@
 ## Unreleased
 
+## 2.12.2 - 2026-03-21
+- Fix a potential property injection issue through escaping control characters in URI values - Wes Ring
+
+## 2.12.1 - 2025-10-19
+- Fix a problem with invalid ics generation for calendars with custom properties that include a `tzid` parameter.
+
 ## 2.12.0 - 2025-09-26
 - Support timezone lookup by Windows names - Ronak Gothi
 

data/lib/icalendar/downcased_hash.rb

@@ -3,32 +3,65 @@
 require 'delegate'
 
 module Icalendar
-  class DowncasedHash < ::SimpleDelegator
+  class DowncasedHash
 
     def initialize(base)
-      super Hash.new
+      @obj = Hash.new
       base.each do |key, value|
         self[key] = value
       end
     end
 
     def []=(key, value)
-      __getobj__[key.to_s.downcase] = value
+      obj[key.to_s.downcase] = value
     end
 
     def [](key)
-      __getobj__[key.to_s.downcase]
+      obj[key.to_s.downcase]
     end
 
     def has_key?(key)
-      __getobj__.has_key? key.to_s.downcase
+      obj.has_key? key.to_s.downcase
     end
     alias_method :include?, :has_key?
     alias_method :member?, :has_key?
 
     def delete(key, &block)
-      __getobj__.delete key.to_s.downcase, &block
+      obj.delete key.to_s.downcase, &block
     end
+
+    def merge(*other_hashes)
+      Icalendar::DowncasedHash.new(obj).merge!(*other_hashes)
+    end
+
+    def merge!(*other_hashes)
+      other_hashes.each do |hash|
+        hash.each do |key, value|
+          self[key] = value
+        end
+      end
+      self
+    end
+
+    def empty?
+      obj.empty?
+    end
+
+    def each(&block)
+      obj.each &block
+    end
+
+    def map(&block)
+      obj.map &block
+    end
+
+    def ==(other)
+      obj == Icalendar::DowncasedHash(other).obj
+    end
+
+    protected
+
+    attr_reader :obj
   end
 
   def self.DowncasedHash(base)

data/lib/icalendar/parser.rb

@@ -87,9 +87,10 @@ module Icalendar
         Icalendar::Values::Helpers::Array.new fields[:value].split(WRAP_PROPERTY_VALUE_SPLIT_REGEX),
                                      klass,
                                      fields[:params],
-                                     delimiter: delimiter
+                                     delimiter: delimiter,
+                                     timezone_store: timezone_store
       else
-        klass.new fields[:value], fields[:params]
+        klass.new fields[:value], fields[:params], timezone_store: timezone_store
       end
     rescue Icalendar::Values::DateTime::FormatError => fe
       raise fe if strict?
@@ -215,9 +216,6 @@ module Icalendar
           if param_value.size > 0
             param_value = param_value.gsub(PVALUE_GSUB_REGEX, '')
             params[param_name] << param_value
-            if param_name == 'tzid'
-              params['x-tz-store'] = timezone_store
-            end
           end
         end
       end

data/lib/icalendar/value.rb

@@ -8,10 +8,11 @@ module Icalendar
 
   class Value < ::SimpleDelegator
 
-    attr_accessor :ical_params
+    attr_accessor :ical_params, :context
 
-    def initialize(value, params = {})
+    def initialize(value, params = {}, context = {})
       @ical_params = Icalendar::DowncasedHash(params)
+      @context = Icalendar::DowncasedHash(context)
       super value
     end
 

data/lib/icalendar/values/boolean.rb

@@ -5,8 +5,8 @@ module Icalendar
 
     class Boolean < Value
 
-      def initialize(value, params = {})
-        super value.to_s.downcase == 'true', params
+      def initialize(value, *args)
+        super value.to_s.downcase == 'true', *args
       end
 
       def value_ical
@@ -16,4 +16,4 @@ module Icalendar
     end
 
   end
-end
+end

data/lib/icalendar/values/date.rb

@@ -8,9 +8,8 @@ module Icalendar
     class Date < Value
       FORMAT = '%Y%m%d'
 
-      def initialize(value, params = {})
+      def initialize(value, params = {}, *args)
         params.delete 'tzid'
-        params.delete 'x-tz-store'
         if value.is_a? String
           begin
             parsed_date = ::Date.strptime(value, FORMAT)
@@ -18,9 +17,9 @@ module Icalendar
             raise FormatError.new("Failed to parse \"#{value}\" - #{e.message}")
           end
 
-          super parsed_date, params
+          super parsed_date, params, *args
         elsif value.respond_to? :to_date
-          super value.to_date, params
+          super value.to_date, params, *args
         else
           super
         end

data/lib/icalendar/values/date_time.rb

@@ -11,7 +11,7 @@ module Icalendar
 
       FORMAT = '%Y%m%dT%H%M%S'
 
-      def initialize(value, params = {})
+      def initialize(value, params = {}, *args)
         if value.is_a? String
           params['tzid'] = 'UTC' if value.end_with? 'Z'
 
@@ -21,9 +21,9 @@ module Icalendar
             raise FormatError.new("Failed to parse \"#{value}\" - #{e.message}")
           end
 
-          super parsed_date, params
+          super parsed_date, params, *args
         elsif value.respond_to? :to_datetime
-          super value.to_datetime, params
+          super value.to_datetime, params, *args
         else
           super
         end

data/lib/icalendar/values/duration.rb

@@ -7,11 +7,11 @@ module Icalendar
 
     class Duration < Value
 
-      def initialize(value, params = {})
+      def initialize(value, *args)
         if value.is_a? Icalendar::Values::Duration
-          super value.value, params
+          super value.value, *args
         else
-          super OpenStruct.new(parse_fields value), params
+          super OpenStruct.new(parse_fields value), *args
         end
       end
 

data/lib/icalendar/values/float.rb

@@ -5,8 +5,8 @@ module Icalendar
 
     class Float < Value
 
-      def initialize(value, params = {})
-        super value.to_f, params
+      def initialize(value, *args)
+        super value.to_f, *args
       end
 
       def value_ical
@@ -16,4 +16,4 @@ module Icalendar
     end
 
   end
-end
+end

data/lib/icalendar/values/helpers/array.rb

@@ -8,22 +8,23 @@ module Icalendar
 
         attr_reader :value_delimiter
 
-        def initialize(value, klass, params = {}, options = {})
-          @value_delimiter = options[:delimiter] || ','
+        def initialize(value, klass, params = {}, context = {})
+          context = Icalendar::DowncasedHash(context)
+          @value_delimiter = context['delimiter'] || ','
           mapped = if value.is_a? ::Array
                     value.map do |v|
                       if v.is_a? Icalendar::Values::Helpers::Array
-                        Icalendar::Values::Helpers::Array.new v.value, klass, v.ical_params, delimiter: v.value_delimiter
+                        Icalendar::Values::Helpers::Array.new v.value, klass, v.ical_params, context.merge(delimiter: v.value_delimiter)
                       elsif v.is_a? ::Array
-                        Icalendar::Values::Helpers::Array.new v, klass, params, delimiter: value_delimiter
+                        Icalendar::Values::Helpers::Array.new v, klass, params, context.merge(delimiter: value_delimiter)
                       elsif v.is_a? Icalendar::Value
                         v
                       else
-                        klass.new v, params
+                        klass.new v, params, context
                       end
                     end
                   else
-                    [klass.new(value, params)]
+                    [klass.new(value, params, context)]
                   end
           super mapped
         end

data/lib/icalendar/values/helpers/time_with_zone.rb

@@ -19,17 +19,20 @@ module Icalendar
       module TimeWithZone
         attr_reader :tz_utc, :timezone_store
 
-        def initialize(value, params = {})
+        def initialize(value, params = {}, context = {})
           params = Icalendar::DowncasedHash(params)
+          context = Icalendar::DowncasedHash(context)
           @tz_utc = params['tzid'] == 'UTC'
-          @timezone_store = params.delete 'x-tz-store'
+          @timezone_store = context['timezone_store']
 
           offset = Icalendar::Offset.build(value, params, timezone_store)
 
-          @offset_value = offset&.normalized_value
-          params['tzid'] = offset.normalized_tzid if offset
+          unless offset.nil?
+            @offset_value = offset.normalized_value
+            params['tzid'] = offset.normalized_tzid
+          end
 
-          super (@offset_value || value), params
+          super (@offset_value || value), params, context
         end
 
         def __getobj__

data/lib/icalendar/values/integer.rb

@@ -5,8 +5,8 @@ module Icalendar
 
     class Integer < Value
 
-      def initialize(value, params = {})
-        super value.to_i, params
+      def initialize(value, *args)
+        super value.to_i, *args
       end
 
       def value_ical
@@ -16,4 +16,4 @@ module Icalendar
     end
 
   end
-end
+end

data/lib/icalendar/values/period.rb

@@ -7,7 +7,7 @@ module Icalendar
 
       PERIOD_LAST_PART_REGEX = /\A[+-]?P.+\z/.freeze
 
-      def initialize(value, params = {})
+      def initialize(value, *args)
         parts = value.split '/'
         period_start = Icalendar::Values::DateTime.new parts.first
         if parts.last =~ PERIOD_LAST_PART_REGEX
@@ -15,7 +15,7 @@ module Icalendar
         else
           period_end = Icalendar::Values::DateTime.new parts.last
         end
-        super [period_start, period_end], params
+        super [period_start, period_end], *args
       end
 
       def value_ical
@@ -47,4 +47,4 @@ module Icalendar
       end
     end
   end
-end
+end

data/lib/icalendar/values/recur.rb

@@ -12,11 +12,11 @@ module Icalendar
       MONTHDAY = '[+-]?\d{1,2}'
       YEARDAY = '[+-]?\d{1,3}'
 
-      def initialize(value, params = {})
+      def initialize(value, *args)
         if value.is_a? Icalendar::Values::Recur
-          super value.value, params
+          super value.value, *args
         else
-          super OpenStruct.new(parse_fields value), params
+          super OpenStruct.new(parse_fields value), *args
         end
       end
 

data/lib/icalendar/values/text.rb

@@ -3,12 +3,12 @@
 module Icalendar
   module Values
     class Text < Value
-      def initialize(value, params = {})
+      def initialize(value, *args)
         value = value.gsub('\n', "\n")
         value.gsub!('\,', ',')
         value.gsub!('\;', ';')
         value.gsub!('\\\\') { '\\' }
-        super value, params
+        super value, *args
       end
 
       VALUE_ICAL_CARRIAGE_RETURN_GSUB_REGEX = /\r?\n/.freeze

data/lib/icalendar/values/time.rb

@@ -11,12 +11,12 @@ module Icalendar
 
       FORMAT = '%H%M%S'
 
-      def initialize(value, params = {})
+      def initialize(value, params = {}, *args)
         if value.is_a? String
           params['tzid'] = 'UTC' if value.end_with? 'Z'
-          super ::DateTime.strptime(value, FORMAT).to_time, params
+          super ::DateTime.strptime(value, FORMAT).to_time, params, *args
         elsif value.respond_to? :to_time
-          super value.to_time, params
+          super value.to_time, params, *args
         else
           super
         end
@@ -33,4 +33,4 @@ module Icalendar
     end
 
   end
-end
+end

data/lib/icalendar/values/uri.rb

@@ -6,14 +6,15 @@ module Icalendar
   module Values
 
     class Uri < Value
+      CONTROL_BYTES_REGEX = /[\x00-\x1F\x7F]/.freeze
 
-      def initialize(value, params = {})
+      def initialize(value, *args)
         parsed = URI.parse(value) rescue value
-        super parsed, params
+        super parsed, *args
       end
 
       def value_ical
-        value.to_s
+        value.to_s.gsub(CONTROL_BYTES_REGEX) { |char| "%%%02X" % char.ord }
       end
     end
 

data/lib/icalendar/values/utc_offset.rb

@@ -5,13 +5,13 @@ require 'ostruct'
 module Icalendar
   module Values
     class UtcOffset < Value
-      def initialize(value, params = {})
+      def initialize(value, *args)
         if value.is_a? Icalendar::Values::UtcOffset
           value = value.value
         else
           value = OpenStruct.new parse_fields(value)
         end
-        super value, params
+        super value, *args
       end
 
       def behind?

data/lib/icalendar/version.rb

@@ -2,6 +2,6 @@
 
 module Icalendar
 
-  VERSION = '2.12.0'
+  VERSION = '2.12.2'
 
 end

data/spec/fixtures/tz_store_param_bug.ics

@@ -0,0 +1,30 @@
+BEGIN:VCALENDAR
+METHOD:COUNTER
+PRODID:Microsoft Exchange Server 2010
+VERSION:2.0
+BEGIN:VTIMEZONE
+TZID:Pacific Standard Time
+BEGIN:STANDARD
+DTSTART:16010101T020000
+TZOFFSETFROM:-0700
+TZOFFSETTO:-0800
+RRULE:FREQ=YEARLY;INTERVAL=1;BYDAY=1SU;BYMONTH=11
+END:STANDARD
+BEGIN:DAYLIGHT
+DTSTART:16010101T020000
+TZOFFSETFROM:-0800
+TZOFFSETTO:-0700
+RRULE:FREQ=YEARLY;INTERVAL=1;BYDAY=2SU;BYMONTH=3
+END:DAYLIGHT
+END:VTIMEZONE
+BEGIN:VEVENT
+DTSTART;TZID=Pacific Standard Time:20251008T103000
+DTEND;TZID=Pacific Standard Time:20251008T113000
+X-MS-OLK-ORIGINALSTART;TZID=Pacific Standard Time:20251008T110000
+X-MS-OLK-ORIGINALEND;TZID=Pacific Standard Time:20251008T120000
+UID:1sqt3u5rn2fprt7g7u75obcgav@google.com
+SEQUENCE:0
+DTSTAMP:20251007T184328Z
+COMMENT;LANGUAGE=en-US:\n
+END:VEVENT
+END:VCALENDAR

data/spec/parser_spec.rb

@@ -126,4 +126,18 @@ describe Icalendar::Parser do
       expect(event.location.value).to eq "1000 Main St Example, State 12345"
     end
   end
+
+  describe 'custom properties with tzid' do
+    let(:fn) { 'tz_store_param_bug.ics' }
+
+    it 'parses without error' do
+      expect(subject.parse.first).to be_a Icalendar::Calendar
+    end
+
+    it 'can be output to ics and re-parsed without error' do
+      cal = subject.parse.first
+      new_cal = Icalendar::Parser.new(cal.to_ical, false).parse.first
+      expect(new_cal).to be_a Icalendar::Calendar
+    end
+  end
 end

data/spec/values/uri_spec.rb

@@ -0,0 +1,43 @@
+require 'spec_helper'
+
+describe Icalendar::Values::Uri do
+  describe '#value_ical' do
+    it 'percent-encodes CRLF to prevent content-line injection' do
+      value = described_class.new("https://a.example/ok\r\nATTENDEE:mailto:evil@example.com")
+
+      expect(value.value_ical).to eq('https://a.example/ok%0D%0AATTENDEE:mailto:evil@example.com')
+    end
+
+    it 'percent-encodes the full ASCII control range' do
+      raw = "https://example.com/a\tb\f#{0.chr}#{127.chr}"
+      value = described_class.new(raw)
+
+      expect(value.value_ical).to eq('https://example.com/a%09b%0C%00%7F')
+    end
+
+    it 'leaves valid printable URI characters unchanged' do
+      raw = 'https://example.com/a-path?q=one%20two&x=@tag#frag'
+      value = described_class.new(raw)
+
+      expect(value.value_ical).to eq(raw)
+    end
+  end
+
+  describe '#to_ical' do
+    it 'serializes injected CRLF on the same content line' do
+      value = described_class.new("https://a.example/ok\r\nATTENDEE:mailto:evil@example.com")
+
+      expect(value.to_ical(Icalendar::Values::Text)).to eq(
+        ';VALUE=URI:https://a.example/ok%0D%0AATTENDEE:mailto:evil@example.com'
+      )
+    end
+  end
+end
+
+describe Icalendar::Values::CalAddress do
+  it 'inherits URI control-byte encoding' do
+    value = described_class.new("mailto:user@example.com\r\nORGANIZER:mailto:evil@example.com")
+
+    expect(value.value_ical).to eq('mailto:user@example.com%0D%0AORGANIZER:mailto:evil@example.com')
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: icalendar
 version: !ruby/object:Gem::Version
-  version: 2.12.0
+  version: 2.12.2
 platform: ruby
 authors:
 - Ryan Ahearn
@@ -275,6 +275,7 @@ files:
 - spec/fixtures/two_day_events.ics
 - spec/fixtures/two_events.ics
 - spec/fixtures/two_time_events.ics
+- spec/fixtures/tz_store_param_bug.ics
 - spec/fixtures/tzid_search.ics
 - spec/freebusy_spec.rb
 - spec/journal_spec.rb
@@ -291,6 +292,7 @@ files:
 - spec/values/period_spec.rb
 - spec/values/recur_spec.rb
 - spec/values/text_spec.rb
+- spec/values/uri_spec.rb
 - spec/values/utc_offset_spec.rb
 homepage: https://github.com/icalendar/icalendar
 licenses:
@@ -343,6 +345,7 @@ test_files:
 - spec/fixtures/two_day_events.ics
 - spec/fixtures/two_events.ics
 - spec/fixtures/two_time_events.ics
+- spec/fixtures/tz_store_param_bug.ics
 - spec/fixtures/tzid_search.ics
 - spec/freebusy_spec.rb
 - spec/journal_spec.rb
@@ -359,4 +362,5 @@ test_files:
 - spec/values/period_spec.rb
 - spec/values/recur_spec.rb
 - spec/values/text_spec.rb
+- spec/values/uri_spec.rb
 - spec/values/utc_offset_spec.rb