Bug 2782

Summary: [security] vCalendar: status tray should display "Fetching: <folder>" vs "Fetching: <url>"
Product: Claws Mail (GTK 2) Reporter: corey welton <cswiii>
Component: Plugins/vCalendarAssignee: users
Status: RESOLVED FIXED    
Severity: major CC: henri
Priority: P3    
Version: other   
Hardware: PC   
OS: Linux   
Attachments:
Description Flags
(obscured) screen snippet of exposed credentials none

Description corey welton 2012-11-14 16:36:38 UTC 
In some instances, it might be the case that the only possible way to access a calendaring service is through https, and in such cases, the only way to authenticate (at least within the confines of vCalendar) is by embedding the username:password into the ics URL and/or have a 'private' url that shouldn't be shared.  

In either case, after configuring a calendar and trying to access it, the full url is displayed in the status tray when trying to poll the calendar, something like:

Fetching 'https://user:password@server.example.com/location/of/my/Calendar'...

Thus, use of the vCalendar plugin really isn't suitable or secure for such configurations!  In the scenarios above, the former is more of a concern but neither is one you'd necessarily want to expose to prying eyes.  Even a google calendar "private url", for example, is visible it its entirety within the status tray.

SOLUTION:
Simply display the name that user has given to the calendar subscription in the tray instead.  Instead of what is currently displayed, just display something like

Fetching 'My Enterprisey Collaboration Suite Calendar..."
Fetching 'Google Calendar'...
Comment 1 corey welton 2012-11-14 16:39:50 UTC 
Created attachment 1182 [details]
(obscured) screen snippet of exposed credentials
Comment 2 corey welton 2012-11-14 16:52:20 UTC 
vCalendar plugin
Version: 2.0.13

Claws Mail
version 3.8.1

System Information
GTK+ 2.24.13 / GLib 2.32.4
Locale: en_US.UTF-8 (charset: UTF-8)
Operating System: Linux 3.6.3-1.fc17.x86_64 (x86_64)
Comment 3 Henri Salo 2012-11-16 01:15:53 UTC 
CVE-request done in: http://www.openwall.com/lists/oss-security/2012/11/15/5
Comment 4 Colin Leroy 2012-11-16 10:04:38 UTC 
Fixed in:

2012-11-16 [colin]      2.0.14cvs3

        * src/vcal_folder.c
        * src/vcal_folder.h
        * src/vcal_meeting_gtk.c
                Fix bug #2782, '[security] vCalendar: status tray should display
                "Fetching: <folder>" vs "Fetching: <url>"'
Comment 5 Alexa 2014-02-03 02:51:29 UTC