|Anonymous | Login | Signup for a new account||2019-05-26 09:28 EDT|
|My View | View Issues | Change Log | Roadmap | Repositories|
|View Issue Details|
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0003696||SOGo||Backend Calendar||public||2016-05-25 08:35||2018-12-04 03:23|
|Target Version||Fixed in Version|
|Summary||0003696: Meta information can be derived from UID/DTSTAMP attributes though "View the Date & Time" restricted access|
|Description||It is possible to derive meta information from free/busy views with reasonable amount of work. In especially, one can derive common appointments between other people even if permissions are restricted to 'View the Date & Time' by joining appointments of all users.|
Fetching all appointments is a rather uncomplicated task through some scripts walking through user search and CalDAV.
The 'View the Date & Time' permissions should also hide UID and DTSTAMP, or provide faked values that prevent such joins. RFC 2445 marks those as optional.
If the UID field is required in practice to have a permanent value, a derived UID like one calculated from `sha256(calendar_owner + salt + original_uid)` with a per-user or per-server salt could be applied. DTSTAMP seems a little more difficult to be faked.
An example when this might be critical is if you make an appointment with the workers' council, which your boss might not like.
I did not verify whether the values can be accessed through CalDAV and the XML feed, but are definitely available in the ICS feed.
|Tags||No tags attached.|
|2016-05-25 08:35||Jens Erat||New Issue|
|2016-05-27 10:57||ludovic||Note Added: 0010227|
|2016-05-27 10:57||ludovic||Status||new => resolved|
|2016-05-27 10:57||ludovic||Resolution||open => fixed|
|2016-05-27 10:57||ludovic||Assigned To||=> ludovic|
|Copyright © 2000 - 2019 MantisBT Team|