Bug 271220

Summary: Accountwizard downloads data without user interaction
Product: [Applications] kdepim Reporter: Andre Heinecke <aheinecke>
Component: wizardsAssignee: kdepim bugs <kdepim-bugs>
Status: RESOLVED UNMAINTAINED    
Severity: major CC: mitchell, security, stasnel
Priority: VHI    
Version: GIT (master)   
Target Milestone: ---   
Platform: Compiled Sources   
OS: All   
Latest Commit: Version Fixed In:
Sentry Crash Report:
Attachments: Debugoutput of accountwizard startup
Debug output with the correct MIME type

Description Andre Heinecke 2011-04-18 16:44:11 UTC 
Version:           GIT (master) (using Devel) 
OS:                All

When you open the accountwizard it accesses api.opendesktop.org before you do anything.
This is observable when you do not have a valid certificate for api.opendesktop.org installed it will bring up the Server Authentication dialog.

This is even with Enterprise build options where "Find provider settings on the Internet" is disabled by default. 

This is a security problem.

Reproducible: Always

Steps to Reproduce:
Do not have any valid certificate for api.opendesktop.org.
Open the accountwizard.


Expected Results:  
The accountwizard should not connect to anything apart from the server you configure if you do not explicitly tell it to.
Comment 1 Andre Heinecke 2011-04-18 17:20:09 UTC 
Created attachment 59102 [details]
Debugoutput of accountwizard startup
Comment 2 Andre Heinecke 2011-04-18 17:22:15 UTC 
As the debug output shows not only does it try to connect to api.opendesktop.org but it also opens an unencrypted connection to "http://download.kde.org/ocs/providers.xml"

Note again this is before any user interaction and right after the Accountwizard startup.
Comment 3 Andre Heinecke 2011-04-18 17:44:45 UTC 
Created attachment 59103 [details]
Debug output with the correct MIME type
Comment 4 Andre Heinecke 2011-04-18 17:51:42 UTC 
CC'ed security@kde.org since i can not assess how dangerous GetHotNewStuff really is.
Comment 5 Jeff Mitchell 2011-04-19 11:50:55 UTC 
It's not nice behavior but I don't see it being a security problem. Lots of things connect to a service by default; the problem here sounds like it's simply that the toggle to disable that behavior doesn't work correctly. It's a bug, but it should definitely be fixed.
Comment 6 Denis Kurz 2016-09-24 21:00:07 UTC 
This bug has only been reported for versions before 4.14, which have been unsupported for at least two years now. Can anyone tell if this bug still present?

If noone confirms this bug for a Framework-based version of kdepim (version 5.0 or later, as part of KDE Applications 15.08 or later), it gets closed in about three months.
Comment 7 Denis Kurz 2017-01-07 22:27:37 UTC 
Just as announced in my last comment, I close this bug. If you encounter it again in a recent version (at least 5.0 aka 15.08), please open a new one unless it already exists. Thank you for all your input.