Bug 487882

Summary: plaintext HTTP request in kmail-account-wizard
Product: [Applications] kmail2 Reporter: shushangw <beardwen>
Component: generalAssignee: kdepim bugs <kdepim-bugs>
Status: RESOLVED FIXED    
Severity: major CC: montel
Priority: NOR    
Version: 5.24.4   
Target Milestone: ---   
Platform: unspecified   
OS: Unspecified   
Latest Commit: https://invent.kde.org/pim/kmail-account-wizard/-/commit/9784f5ab41c3aff435d4a88afb25585180a62ee4 Version Fixed In: 6.2.0
Sentry Crash Report:

Description shushangw 2024-06-01 12:58:05 UTC 
Summary:
Send a plain HTTP request (https://github.com/KDE/kmail-account-wizard/blob/master/src/ispdbservice.cpp#L29) to retrieve the mail server's configuration file in the K-mail account wizard.

May result:
Consider an attack scenario in which the attacker and the victim are both located in a coffee shop, sharing the same Wi-Fi network. The attacker can tamper with any content transmitted over the plaintext connection. For example, specify the target mail server as an attacker-controlled server.

If it is deliberate not to implement HTTPS, what is the reason for doing so?
Comment 1 Laurent Montel 2024-06-03 05:26:06 UTC 
see https://wiki.mozilla.org/Thunderbird:Autoconfiguration
Comment 2 shushangw 2024-06-03 09:17:26 UTC 
(In reply to Laurent Montel from comment #1)
> see https://wiki.mozilla.org/Thunderbird:Autoconfiguration

Thank you for your reply. However, for a more secure implementation, Kmail should at least try https first and fall back to http requests in case it can't retrieve the configuration file successfully.

Also, the latest specification and discussion of autoconfiguration are referenced in:
- https://datatracker.ietf.org/doc/draft-bucksch-autoconfig/00/
Comment 3 Laurent Montel 2024-06-03 11:43:40 UTC 
Git commit 9784f5ab41c3aff435d4a88afb25585180a62ee4 by Laurent Montel.
Committed on 03/06/2024 at 11:42.
Pushed by mlaurent into branch 'master'.

Fix bug 487882: plaintext HTTP request in kmail-account-wizard
FIXED-IN: 6.2.0

M  +7    -11   src/ispdbservice.cpp
M  +5    -3    src/ispdbservice.h

https://invent.kde.org/pim/kmail-account-wizard/-/commit/9784f5ab41c3aff435d4a88afb25585180a62ee4