Bug 2782 - [security] vCalendar: status tray should display "Fetching: <folder>" vs "Fetching: <url>"
: [security] vCalendar: status tray should display "Fetching: <folder>" vs "Fet...
Status: RESOLVED FIXED
Product: Claws Mail
Classification: Unclassified
Component: Plugins/vCalendar
: other
: PC Linux
: P3 major
Assigned To: users
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-11-14 16:36 CET by corey welton
Modified: 2014-02-03 02:51 CET (History)
1 user (show)

See Also:


Attachments
(obscured) screen snippet of exposed credentials (4.87 KB, image/png)
2012-11-14 16:39 CET, corey welton
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description corey welton 2012-11-14 16:36:38 CET
In some instances, it might be the case that the only possible way to access a calendaring service is through https, and in such cases, the only way to authenticate (at least within the confines of vCalendar) is by embedding the username:password into the ics URL and/or have a 'private' url that shouldn't be shared.  

In either case, after configuring a calendar and trying to access it, the full url is displayed in the status tray when trying to poll the calendar, something like:

Fetching 'https://user:password@server.example.com/location/of/my/Calendar'...

Thus, use of the vCalendar plugin really isn't suitable or secure for such configurations!  In the scenarios above, the former is more of a concern but neither is one you'd necessarily want to expose to prying eyes.  Even a google calendar "private url", for example, is visible it its entirety within the status tray.

SOLUTION:
Simply display the name that user has given to the calendar subscription in the tray instead.  Instead of what is currently displayed, just display something like

Fetching 'My Enterprisey Collaboration Suite Calendar..."
Fetching 'Google Calendar'...
Comment 1 corey welton 2012-11-14 16:39:50 CET
Created attachment 1182 [details]
(obscured) screen snippet of exposed credentials
Comment 2 corey welton 2012-11-14 16:52:20 CET
vCalendar plugin
Version: 2.0.13

Claws Mail
version 3.8.1

System Information
GTK+ 2.24.13 / GLib 2.32.4
Locale: en_US.UTF-8 (charset: UTF-8)
Operating System: Linux 3.6.3-1.fc17.x86_64 (x86_64)
Comment 3 Henri Salo 2012-11-16 01:15:53 CET
CVE-request done in: http://www.openwall.com/lists/oss-security/2012/11/15/5
Comment 4 Colin Leroy 2012-11-16 10:04:38 CET
Fixed in:

2012-11-16 [colin]      2.0.14cvs3

        * src/vcal_folder.c
        * src/vcal_folder.h
        * src/vcal_meeting_gtk.c
                Fix bug #2782, '[security] vCalendar: status tray should display
                "Fetching: <folder>" vs "Fetching: <url>"'
Comment 5 Alexa 2014-02-03 02:51:29 CET