SOGo | BTS

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0003696SOGoBackend Calendarpublic2016-05-25 08:352018-12-04 03:23
ReporterJens Erat 
Assigned Toludovic 
PriorityhighSeveritymajorReproducibilityalways
StatusresolvedResolutionfixed 
PlatformOSOS Version
Product Version2.3.9 
Target VersionFixed in Version 
Summary0003696: Meta information can be derived from UID/DTSTAMP attributes though "View the Date & Time" restricted access
DescriptionIt is possible to derive meta information from free/busy views with reasonable amount of work. In especially, one can derive common appointments between other people even if permissions are restricted to 'View the Date & Time' by joining appointments of all users.

Fetching all appointments is a rather uncomplicated task through some scripts walking through user search and CalDAV.

The 'View the Date & Time' permissions should also hide UID and DTSTAMP, or provide faked values that prevent such joins. RFC 2445 marks those as optional.

If the UID field is required in practice to have a permanent value, a derived UID like one calculated from `sha256(calendar_owner + salt + original_uid)` with a per-user or per-server salt could be applied. DTSTAMP seems a little more difficult to be faked.

An example when this might be critical is if you make an appointment with the workers' council, which your boss might not like.

I did not verify whether the values can be accessed through CalDAV and the XML feed, but are definitely available in the ICS feed.
TagsNo tags attached.
Attached Files

- Relationships Relation Graph ] Dependency Graph ]

-  Notes
User avatar (0010227)
ludovic (administrator)
2016-05-27 10:57

See 0003695

- Issue History
Date Modified Username Field Change
2016-05-25 08:35 Jens Erat New Issue
2016-05-27 10:57 ludovic Note Added: 0010227
2016-05-27 10:57 ludovic Status new => resolved
2016-05-27 10:57 ludovic Resolution open => fixed
2016-05-27 10:57 ludovic Assigned To => ludovic


Copyright © 2000 - 2018 MantisBT Team
Powered by Mantis Bugtracker