From a555fdad40cea2e3e1012c4a615b513b16e544d3 Mon Sep 17 00:00:00 2001
From: Andrew McMillan <andrew@morphoss.com>
Date: Mon, 2 Jul 2012 22:40:43 +1200
Subject: [PATCH] Deny calendar-query report on root, principal or addressbook

Even if recursive report is enabled.
---
 inc/caldav-REPORT-calquery.php | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/inc/caldav-REPORT-calquery.php b/inc/caldav-REPORT-calquery.php
index eccd7744..6d09f093 100644
--- a/inc/caldav-REPORT-calquery.php
+++ b/inc/caldav-REPORT-calquery.php
@@ -303,6 +303,9 @@ if ( ! ($target_collection->IsCalendar() || $target_collection->IsSchedulingColl
   if ( !(isset($c->allow_recursive_report) && $c->allow_recursive_report) ) {
     $request->DoResponse( 403, translate('The calendar-query report must be run against a calendar or a scheduling collection') );
   }
+  else if ( $request->path == '/' || $target_collection->IsPrincipal() || $target_collection->IsAddressbook() ) {
+    $request->DoResponse( 403, translate('The calendar-query report may not be run against that URL.') );
+  }
   /**
    * We're here because they allow recursive reports, and this appears to be such a location.
    */