In some instances, it might be the case that the only possible way to access a calendaring service is through https, and in such cases, the only way to authenticate (at least within the confines of vCalendar) is by embedding the username:password into the ics URL and/or have a 'private' url that shouldn't be shared. In either case, after configuring a calendar and trying to access it, the full url is displayed in the status tray when trying to poll the calendar, something like: Fetching 'https://user:password@server.example.com/location/of/my/Calendar'... Thus, use of the vCalendar plugin really isn't suitable or secure for such configurations! In the scenarios above, the former is more of a concern but neither is one you'd necessarily want to expose to prying eyes. Even a google calendar "private url", for example, is visible it its entirety within the status tray. SOLUTION: Simply display the name that user has given to the calendar subscription in the tray instead. Instead of what is currently displayed, just display something like Fetching 'My Enterprisey Collaboration Suite Calendar..." Fetching 'Google Calendar'...
Created attachment 1182 [details] (obscured) screen snippet of exposed credentials
vCalendar plugin Version: 2.0.13 Claws Mail version 3.8.1 System Information GTK+ 2.24.13 / GLib 2.32.4 Locale: en_US.UTF-8 (charset: UTF-8) Operating System: Linux 3.6.3-1.fc17.x86_64 (x86_64)
CVE-request done in: http://www.openwall.com/lists/oss-security/2012/11/15/5
Fixed in: 2012-11-16 [colin] 2.0.14cvs3 * src/vcal_folder.c * src/vcal_folder.h * src/vcal_meeting_gtk.c Fix bug #2782, '[security] vCalendar: status tray should display "Fetching: <folder>" vs "Fetching: <url>"'