Bug 502223

Summary: Kaddressbook exposes all address collections of the connecting user when connecting via carddav...
Product: [Applications] kaddressbook Reporter: piedro <piedro.kulman>
Component: generalAssignee: kdepim bugs <kdepim-bugs>
Status: REPORTED ---    
Severity: normal CC: piedro.kulman
Priority: NOR    
Version First Reported In: 5.24.2   
Target Milestone: ---   
Platform: Other   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:

Description piedro 2025-03-31 01:12:35 UTC 
SUMMARY

When using kaddress book to connect to my carddav address server (Synology Contacts) I cannot single out one exclusive collection.

The dialog to create a new addressbook and connect to the carddav server shows all my six collections  (like "job contacts", "private contacts","archived contacts" and so forth...) to be found on the server.

It correctly displays six different carddav addresses for the collections.

But connecting to any single collection address out of these always pulls all of the other six collections as address folders too - the address book exposes all six collections hosted on the server in the kaddressbook folder list. 

This seems to me to be a severe bug and security breach - this shouldn't be the intended behaviour.  
On my family PC where my kids will have occasional access to I certainly do not want my jobs address collection to be exposed for reading and even worse being subject to be deleted or changed.

To be honest I don't understand how this is even possible. 

I tested this connecting with a restricted user account on the server - even in this case I get the same result. 

To ensure it's not the server messing up I tried doing the same with thunderbird. In this case I can correctly connect to every single collection individually without any exposure of the other collections owned by this server's user account. Sadly I do not have the skill to pinpoint the cause of this behaviour by kaddressbook's carddav implementation. 

STEPS TO REPRODUCE
1. create multiple address collections in a carddav account (for me that's with Synology Contacts on a NAS, DSM 7.2)
2. connect to the individual carddav server address of  one of the collections  
3. the connection dialog will show all collections within this user's account

OBSERVED RESULT
Every single collection is exposed with read/write permission as kaddress book folder and can even be deleted completely from the server through kaddressbook as they are all owned by the connecting user. 

EXPECTED RESULT
Only connect to one collection when using it's carddav address and add it as a single address folder in kaddressbook.   

SOFTWARE/OS VERSIONS
Operating System: openSUSE Tumbleweed 20250325
KDE Plasma Version: 6.3.3
KDE Frameworks Version: 6.12.0
Qt Version: 6.8.2
Kernel Version: 6.13.7-1-default (64-bit)
Graphics Platform: Wayland

As said, other clients like Thunderbird do not show this behaviour not expose additional access.
Comment 1 piedro 2025-04-01 12:24:43 UTC 
I contacted Synology and reported this as a security breach which should be prevented by the server in the first place. 

Now the Synology developers created a temporary solution to enable a setting to prevent individual address books (collections) from being exposed to carddav clients which use the same method of access as kaddressbook does.  

This obviously is just a measure on their part to secure their carddav server implementation. Seems they take this seriously and they started immediately to actively work on it. Honestly I am surprised that they came up with a work around within two days! 

In their response they pinpointed to the problem within kaddressbook - it seems to access carddav servers by using a "PROPFIND request". 
I guess that's the culprit and shouldn't be too hard to fix?

Here's their remark: 

Synology, 2025-04-01 06:26:50:  

"Thanks for your waiting. 

After confirming with the developers, some CardDAV will force a PROPFIND request for all non-hidden address books." 

Hope this helps - please fix this, this bug is a sever security issue imho... 

Thx, pk
Comment 2 piedro 2025-04-01 12:37:38 UTC 
Sorry typo above:

"PROPFIND request"