Bug 346439

Summary: kio error message contains part of the password
Product: [Frameworks and Libraries] Akonadi Reporter: Andrius Štikonas <andrius>
Component: DAV ResourceAssignee: kdepim bugs <kdepim-bugs>
Status: RESOLVED FIXED    
Severity: normal CC: greg, kdelibs-bugs
Priority: NOR    
Version: unspecified   
Target Milestone: ---   
Platform: Other   
OS: Linux   
Latest Commit: Version Fixed In:
Attachments: akonadi error message

Description Andrius Štikonas 2015-04-21 20:59:40 UTC 
Part of the password is exposed in error message:

You are about to log in to the site "example.com" with the username "user:partofpassword@", but the website does not require authentication. This may be an attempt to trick you.
Is "example.com" the site you want to visit?

Reproducible: Always

Steps to Reproduce:
1. Create some online service with authentication, e.g. you can use owncloud's caldav.
2. Choose a password containing @. E.g. "partofpassword@restofthepassword"
3. If caldav is inaccessible for some reason, kio prints this warning message.

Actual Results:  
Part of the password is exposed

Expected Results:  
Only username is printed.

I guess kio looks for the last '@' character in the string "username@password"
Comment 1 Andrius Štikonas 2015-04-21 21:10:11 UTC 
Actually, I had calendar account in korganizer and carddav account in kaddressbook, both pointing to owncloud. I hope it helps to reproduce bug.
Comment 2 David Faure 2015-05-14 23:46:49 UTC 
KIO doesn't purposely show passwords, but the URL sent by the carddav implementation must construct the URL wrongly (e.g. not using QUrl::setPassword, which would correctly encode the '@' in the password).

Reassigning to the davgroupware resource.
Comment 3 Grégory Oestreicher 2015-06-25 21:03:10 UTC 
Hey,

Which version are we talking about here? I can't have part of the password displayed when trying to reproduce this (non 401 response code and a password containing a '@').

Cheers,
Grégory
Comment 4 Andrius Štikonas 2015-06-25 21:30:29 UTC 
This was tested on KDE 4.14.3.

Well, since next kde-apps release will contain KF5 versions of kdepim, I can test this bug later, maybe it got fixed...
Comment 5 Grégory Oestreicher 2015-06-25 21:38:57 UTC 
Nope, I've tested with 4.14.10 (well, what will be this version), not the KF5 version, and I can't reproduce it. Also I nothing has changed since 4.14.3 that may explain the bug, at least in the resource.

Per chance, do you remember the status code you got, if you ever saw it?

Cheers,
Grégory
Comment 6 Andrius Štikonas 2015-06-25 21:44:07 UTC 
Unfortunately, I don't remember it now. I'll try to reproduce this again when I have some free time and see if status code is displayed...
Comment 7 Grégory Oestreicher 2016-02-06 23:50:41 UTC 
Well, no news, assuming good news.
Comment 8 Andrius Štikonas 2016-02-08 22:26:50 UTC 
(In reply to Grégory Oestreicher from comment #7)
> Well, no news, assuming good news.

Ok, I just tested with KDE Application 15.12.1 and it still doesn't work. However, dialog with password is not shown anymore. But Akonadi console says Broken resource and "Malformed URL"
Comment 9 Andrius Štikonas 2016-02-08 22:33:30 UTC 
Created attachment 97094 [details]
akonadi error message
Comment 10 Grégory Oestreicher 2016-02-09 06:28:44 UTC 
Do you see anything in your ~/.xsession-errors? If the password is shown redact it but try to keep the rest intact :)
Comment 11 Andrius Štikonas 2016-02-09 17:01:25 UTC 
(In reply to Grégory Oestreicher from comment #10)
> Do you see anything in your ~/.xsession-errors? If the password is shown
> redact it but try to keep the rest intact :)

Not really. Can't see anything related. Pasted here: https://paste.kde.org/pncluuopx
Comment 12 Andrius Štikonas 2016-02-09 18:33:24 UTC 
Ok, I completely deleted my Akonadi resources and settings and recreated my accounts. Seems that this is no longer a problem now.