[kaddressbook] [Bug 502223] Kaddressbook exposes all address collections of the connecting user when connecting via carddav...

[piedro]

https://bugs.kde.org/show_bug.cgi?id=502223

piedro <piedro.kulman at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |piedro.kulman at gmail.com

--- Comment #1 from piedro <piedro.kulman at gmail.com> ---
I contacted Synology and reported this as a security breach which should be
prevented by the server in the first place. 

Now the Synology developers created a temporary solution to enable a setting to
prevent individual address books (collections) from being exposed to carddav
clients which use the same method of access as kaddressbook does.  

This obviously is just a measure on their part to secure their carddav server
implementation. Seems they take this seriously and they started immediately to
actively work on it. Honestly I am surprised that they came up with a work
around within two days! 

In their response they pinpointed to the problem within kaddressbook - it seems
to access carddav servers by using a "PROPFIND request". 
I guess that's the culprit and shouldn't be too hard to fix?

Here's their remark: 

Synology, 2025-04-01 06:26:50:  

"Thanks for your waiting. 

After confirming with the developers, some CardDAV will force a PROPFIND
request for all non-hidden address books." 

Hope this helps - please fix this, this bug is a sever security issue imho... 

Thx, pk

-- 
You are receiving this mail because:
You are the assignee for the bug.