6.0.0-alpha14
7/2/25

[#15011] Notifications reveal private entries
Summary Notifications reveal private entries
Queue Kronolith
Queue Version FRAMEWORK_5_2
Type Bug
State Resolved
Priority 1. Low
Owners mrubinsk (at) horde (dot) org
Requester 2020 (at) ichbinweg (dot) ch
Created 05/24/2020 (1865 days ago)
Due
Updated 07/04/2020 (1824 days ago)
Assigned
Resolved 07/04/2020 (1824 days ago)
Github Issue Link
Github Pull Request
Milestone
Patch No

History
07/04/2020 06:39:50 PM Git Commit Comment #4 Reply to this comment
Changes have been made in Git (FRAMEWORK_5_2):

commit 5f898094acc324f5c17deb13c66c9b6bc6c95005
Author: Michael J Rubinsky <mrubinsk@horde.org>
Date:   Sat, 04 Jul 2020 14:29:15 -0400

[mjr] SECURITY: Don't leak private details when sending notifications 
for private events (Bug #15011).

  M docs/changelog.yml

https://github.com/horde/kronolith/commit/5f898094acc324f5c17deb13c66c9b6bc6c95005
07/04/2020 06:19:42 PM Michael Rubinsky Assigned to Michael Rubinsky
State ⇒ Resolved
 
07/04/2020 06:16:35 PM Git Commit Comment #3 Reply to this comment
Changes have been made in Git (master):

commit 74e0bf732327305edb3f2dd44517eb6b33d408e4
Author: Michael J Rubinsky <mrubinsk@horde.org>
Date:   Sat, 04 Jul 2020 14:16:03 -0400

Bug: 15011 Don't leak details when sending notifications for private entries.

  A k.patch
  M lib/Kronolith.php
  M templates/update/notification.html.php
  M templates/update/notification.plain.php

https://github.com/horde/kronolith/commit/74e0bf732327305edb3f2dd44517eb6b33d408e4
07/04/2020 04:46:41 PM Git Commit Comment #2 Reply to this comment
Changes have been made in Git (FRAMEWORK_5_2):

commit afc52b68583cfdd2643582e3066c08965848607a
Author: Michael J Rubinsky <mrubinsk@horde.org>
Date:   Sat, 04 Jul 2020 12:44:39 -0400

Bug: 15011 Don't leak details when sending notifications for private entries.

  M lib/Kronolith.php

https://github.com/horde/kronolith/commit/afc52b68583cfdd2643582e3066c08965848607a
05/24/2020 07:45:37 AM 2020 (at) ichbinweg (dot) ch Comment #1
Priority ⇒ 1. Low
Patch ⇒ No
Milestone ⇒
Queue ⇒ Kronolith
Summary ⇒ Notifications reveal private entries
Type ⇒ Bug
State ⇒ Unconfirmed
Reply to this comment
When read access is given for a given calendar to another user, they 
usually only get an indication like "Busy" for calendar entries marked 
private when accessed by web interface or ActiveSync. But when this 
user activates notifications of changes by e-mail, the explicit title 
of the calendar entry gets sent out instead of "Busy" only. Why is the 
calendar entry title masked on the web interface or ActiveSync, but 
not in email notifications?

Access rights granted to other user: Show/Read/Edit/Delete
Notifications activated by other user: Menu entry "On all calendars I 
have explicitly read access to"

Saved Queries