[kaddressbook] [Bug 502223] New: Kaddressbook exposes all address collections of the connecting user when connecting via carddav...

piedro bugzilla_noreply at kde.org
Mon Mar 31 02:12:35 BST 2025 

https://bugs.kde.org/show_bug.cgi?id=502223

            Bug ID: 502223
           Summary: Kaddressbook exposes all address collections of the
                    connecting user when connecting via carddav...
    Classification: Applications
           Product: kaddressbook
           Version: 5.24.2
          Platform: Other
                OS: Linux
            Status: REPORTED
          Severity: normal
          Priority: NOR
         Component: general
          Assignee: kdepim-bugs at kde.org
          Reporter: piedro.kulman at gmail.com
  Target Milestone: ---

SUMMARY

When using kaddress book to connect to my carddav address server (Synology
Contacts) I cannot single out one exclusive collection.

The dialog to create a new addressbook and connect to the carddav server shows
all my six collections  (like "job contacts", "private contacts","archived
contacts" and so forth...) to be found on the server.

It correctly displays six different carddav addresses for the collections.

But connecting to any single collection address out of these always pulls all
of the other six collections as address folders too - the address book exposes
all six collections hosted on the server in the kaddressbook folder list. 

This seems to me to be a severe bug and security breach - this shouldn't be the
intended behaviour.  
On my family PC where my kids will have occasional access to I certainly do not
want my jobs address collection to be exposed for reading and even worse being
subject to be deleted or changed.

To be honest I don't understand how this is even possible. 

I tested this connecting with a restricted user account on the server - even in
this case I get the same result. 

To ensure it's not the server messing up I tried doing the same with
thunderbird. In this case I can correctly connect to every single collection
individually without any exposure of the other collections owned by this
server's user account. Sadly I do not have the skill to pinpoint the cause of
this behaviour by kaddressbook's carddav implementation. 

STEPS TO REPRODUCE
1. create multiple address collections in a carddav account (for me that's with
Synology Contacts on a NAS, DSM 7.2)
2. connect to the individual carddav server address of  one of the collections  
3. the connection dialog will show all collections within this user's account

OBSERVED RESULT
Every single collection is exposed with read/write permission as kaddress book
folder and can even be deleted completely from the server through kaddressbook
as they are all owned by the connecting user. 

EXPECTED RESULT
Only connect to one collection when using it's carddav address and add it as a
single address folder in kaddressbook.   

SOFTWARE/OS VERSIONS
Operating System: openSUSE Tumbleweed 20250325
KDE Plasma Version: 6.3.3
KDE Frameworks Version: 6.12.0
Qt Version: 6.8.2
Kernel Version: 6.13.7-1-default (64-bit)
Graphics Platform: Wayland

As said, other clients like Thunderbird do not show this behaviour not expose
additional access.

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the Kdepim-bugs mailing list