Bug 344474 - Kmail exposes password through notification if smtp server not accessible
Summary: Kmail exposes password through notification if smtp server not accessible
Status: RESOLVED UNMAINTAINED
Alias: None
Product: kmail2
Classification: Applications
Component: general (show other bugs)
Version: 4.14.1
Platform: Ubuntu Linux
: NOR normal (vote)
Target Milestone: ---
Assignee: kdepim bugs
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-02-23 09:02 UTC by Michael D
Modified: 2018-01-31 16:50 UTC (History)
1 user (show)

See Also:
Latest Commit:
Version Fixed In:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael D 2015-02-23 09:02:48 UTC
I accidentally put my smtp server in the format "server@smtp.de" instead of "server.smtp.de" and when trying to send an email a notification pops up exposing my password in plain text. The notification titled "E-mail Sending Failed" starts "Failed to transport message. smtp://<account name>:<password>@:<port>..." I have checked the setting to store SMTP password.

This obviously presents a significant security concern.

Reproducible: Always

Steps to Reproduce:
1. Enter wrong smtp server (perhaps in a particular format as described above?) in settings
2. Send an email from that server/account, with the store password setting checked


Actual Results:  
An error message pops up exposing password

Expected Results:  
The error message only says that the email failed to send, and this is presented in a *readable* format.
Comment 1 Laurent Montel 2015-02-23 09:48:21 UTC
Indeed !
I will look at soon.
I don't know where is the problem but I will fix it soon.
Comment 2 Laurent Montel 2015-02-24 07:08:48 UTC
I investigated it yesterday but didn't find yet which part of code send it.
Perhaps kdelibs
Comment 3 Michael D 2015-02-24 08:37:25 UTC
The same error message, I noticed, is also displayed at the top of KMail's preview pane, if that helps.
Comment 4 Laurent Montel 2015-02-24 10:07:12 UTC
I know but it doesn't inform me which code send this information
it's not kioslave smtp so I don't know for the moment
I continue to investigate.
Comment 5 Denis Kurz 2017-06-23 19:57:59 UTC
This bug has never been confirmed for a KDE PIM version that is based on KDE Frameworks (5.x). Those versions differ significantly from the old 4.x series. Therefore, I plan to close it in around two or three months. In the meantime, it is set to WAITINGFORINFO to give reporters the oportunity to check if it is still valid. As soon as someone confirms it for a recent version (at least 5.1, ideally even more recent), I'll gladly reopen it.

Please understand that we lack the manpower to triage bugs reported for versions almost two years beyond their end of life.
Comment 6 Denis Kurz 2018-01-31 16:50:20 UTC
Just as announced in my last comment, I close this bug. If you encounter it again in a recent version (at least 5.1 aka 15.12, preferably more recent), please open a new one unless it already exists. Thank you for all your input.