[Users] [Bug 2782] New: [security] vCalendar: status tray should display "Fetching: <folder>" vs "Fetching: <url>"

noreply at thewildbeast.co.uk noreply at thewildbeast.co.uk
Wed Nov 14 16:36:39 CET 2012


           Summary: [security] vCalendar: status tray should display
                    "Fetching: <folder>" vs "Fetching: <url>"
           Product: Claws Mail
           Version: other
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: major
          Priority: P3
         Component: Plugins
        AssignedTo: users at lists.claws-mail.org
        ReportedBy: cswiii at gmail.com

In some instances, it might be the case that the only possible way to access a
calendaring service is through https, and in such cases, the only way to
authenticate (at least within the confines of vCalendar) is by embedding the
username:password into the ics URL and/or have a 'private' url that shouldn't
be shared.  

In either case, after configuring a calendar and trying to access it, the full
url is displayed in the status tray when trying to poll the calendar, something

Fetching 'https://user:password@server.example.com/location/of/my/Calendar'...

Thus, use of the vCalendar plugin really isn't suitable or secure for such
configurations!  In the scenarios above, the former is more of a concern but
neither is one you'd necessarily want to expose to prying eyes.  Even a google
calendar "private url", for example, is visible it its entirety within the
status tray.

Simply display the name that user has given to the calendar subscription in the
tray instead.  Instead of what is currently displayed, just display something

Fetching 'My Enterprisey Collaboration Suite Calendar..."
Fetching 'Google Calendar'...

Configure bugmail: http://www.thewildbeast.co.uk/claws-mail/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the Users mailing list