6.0.0-git
2020-07-15

[#15011] Notifications reveal private entries
Summary Notifications reveal private entries
Queue Kronolith
Queue Version FRAMEWORK_5_2
Type Bug
State Resolved
Priority 1. Low
Owners mrubinsk (at) horde (dot) org
Requester 2020 (at) ichbinweg (dot) ch
Created 2020-05-24 (52 days ago)
Due
Updated 2020-07-04 (11 days ago)
Assigned
Resolved 2020-07-04 (11 days ago)
Milestone
Patch No

History
2020-07-04 18:39:50 Git Commit Comment #4 Reply to this comment
Changes have been made in Git (FRAMEWORK_5_2):

commit 5f898094acc324f5c17deb13c66c9b6bc6c95005
Author: Michael J Rubinsky <mrubinsk@horde.org>
Date:   Sat, 04 Jul 2020 14:29:15 -0400

[mjr] SECURITY: Don't leak private details when sending notifications 
for private events (Bug #15011).

  M docs/changelog.yml

https://github.com/horde/kronolith/commit/5f898094acc324f5c17deb13c66c9b6bc6c95005
2020-07-04 18:19:42 Michael Rubinsky Assigned to Michael Rubinsky
State ⇒ Resolved
 
2020-07-04 18:16:35 Git Commit Comment #3 Reply to this comment
Changes have been made in Git (master):

commit 74e0bf732327305edb3f2dd44517eb6b33d408e4
Author: Michael J Rubinsky <mrubinsk@horde.org>
Date:   Sat, 04 Jul 2020 14:16:03 -0400

Bug: 15011 Don't leak details when sending notifications for private entries.

  A k.patch
  M lib/Kronolith.php
  M templates/update/notification.html.php
  M templates/update/notification.plain.php

https://github.com/horde/kronolith/commit/74e0bf732327305edb3f2dd44517eb6b33d408e4
2020-07-04 16:46:41 Git Commit Comment #2 Reply to this comment
Changes have been made in Git (FRAMEWORK_5_2):

commit afc52b68583cfdd2643582e3066c08965848607a
Author: Michael J Rubinsky <mrubinsk@horde.org>
Date:   Sat, 04 Jul 2020 12:44:39 -0400

Bug: 15011 Don't leak details when sending notifications for private entries.

  M lib/Kronolith.php

https://github.com/horde/kronolith/commit/afc52b68583cfdd2643582e3066c08965848607a
2020-05-24 07:45:37 2020 (at) ichbinweg (dot) ch Comment #1
Type ⇒ Bug
State ⇒ Unconfirmed
Priority ⇒ 1. Low
Summary ⇒ Notifications reveal private entries
Queue ⇒ Kronolith
Milestone ⇒
Patch ⇒ No
Reply to this comment
When read access is given for a given calendar to another user, they 
usually only get an indication like "Busy" for calendar entries marked 
private when accessed by web interface or ActiveSync. But when this 
user activates notifications of changes by e-mail, the explicit title 
of the calendar entry gets sent out instead of "Busy" only. Why is the 
calendar entry title masked on the web interface or ActiveSync, but 
not in email notifications?

Access rights granted to other user: Show/Read/Edit/Delete
Notifications activated by other user: Menu entry "On all calendars I 
have explicitly read access to"

Saved Queries