Bug 365350

Summary: password visible on screen / in URL when testing connection to Xchange calendar
Product: [Applications] korganizer Reporter: le.trmr
Component: groupwareAssignee: kdepim bugs <pim-bugs-null>
Status: RESOLVED FIXED    
Severity: normal CC: le.trmr
Priority: NOR    
Version First Reported In: unspecified   
Target Milestone: ---   
Platform: Arch Linux   
OS: Linux   
Latest Commit: http://commits.kde.org/kdepim-runtime/15296cb80be303c2fdad39ed2e055521eba30c43 Version Fixed/Implemented In: 5.3.0
Sentry Crash Report:
Attachments: Screenshot

Description le.trmr 2016-07-11 11:48:59 UTC 
When trying to test the connection of a new XO calendar (in the configuration dialogue), the connection might fail, subsequently revealing the whole GET URL including the cleartext password on screen. This happens when one enters a server without https:// in front.

Reproducible: Always

Steps to Reproduce:
1. Open KOrganizer
2. Navigate to General Settings -> Calendar Tab and Add a calendar
3. Select Open-Xchange Groupware Server
4. Type in (wrong, without https://) server, user and password combination
5. Click test connection

Actual Results:  
A pop-up error dialogue displaying the while GET URL, including the cleartext password.

Expected Results:  
Notification of error without revealing password in cleartext.
(Not sending password in cleartext in the first place.)

Version 5.2.2
KDE Frameworks 5.23.0
Qt 5.7.0 (compiled against 5.6.0)
Comment 1 le.trmr 2016-07-11 11:50:18 UTC 
Created attachment 100003 [details]
Screenshot
Comment 2 Laurent Montel 2016-08-01 11:59:23 UTC 
Git commit 15296cb80be303c2fdad39ed2e055521eba30c43 by Montel Laurent.
Committed on 01/08/2016 at 11:58.
Pushed by mlaurent into branch 'Applications/16.08'.

Fix Bug 365350 - password visible on screen / in URL when testing connection to Xchange calendar

Force to use a valid url

FIXED-IN: 5.3.0

M  +3    -0    resources/openxchange/oxa/connectiontestjob.cpp

http://commits.kde.org/kdepim-runtime/15296cb80be303c2fdad39ed2e055521eba30c43