[Users] [Bug 4745] New: oauth2: built-in client_id can be stored as plain text

noreply at thewildbeast.co.uk noreply at thewildbeast.co.uk
Fri Jan 19 18:38:11 UTC 2024


https://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=4745

            Bug ID: 4745
           Summary: oauth2: built-in client_id can be stored as plain text
           Product: Claws Mail (GTK 2)
           Version: GIT
          Hardware: PC
                OS: All
            Status: NEW
          Severity: normal
          Priority: P3
         Component: Other
          Assignee: users at lists.claws-mail.org
          Reporter: olaf at aepfle.de

Created attachment 2414
  -->
https://www.thewildbeast.co.uk/claws-mail/bugzilla/attachment.cgi?id=2414&action=edit
gtk2-oauth2-built-in-client_id-can-be-stored-as-plain-tex.patch

In case Claws Mail is compiled with a built-in client_id and client_secret,
both strings can safely be stored as plain text. There is no need to encode
them as base64 string. The characters to be used is apparently undefined by
RFC6749. It is safe to assume issued client_id strings fit in the ASCII range.
In the unlikely case such string contains a quotation mark, it can be escaped
with a backslash.

Remove the usage of oauth2_decode, also the now unused function. While being
there, also remove the already unused function oauth2_encode.

-- 
You are receiving this mail because:
You are the assignee for the bug.


More information about the Users mailing list