https://bugs.kde.org/show_bug.cgi?id=502223
Bug ID: 502223
Summary: Kaddressbook exposes all address collections of the
connecting user when connecting via carddav...
Classification: Applications
Product: kaddressbook
Version: 5.24.2
Platform: Other
OS: Linux
Status: REPORTED
Severity: normal
Priority: NOR
Component: general
Assignee: kdepim-b...@kde.org
Reporter: piedro.kul...@gmail.com
Target Milestone: ---
SUMMARY
When using kaddress book to connect to my carddav address server (Synology
Contacts) I cannot single out one exclusive collection.
The dialog to create a new addressbook and connect to the carddav server shows
all my six collections (like "job contacts", "private contacts","archived
contacts" and so forth...) to be found on the server.
It correctly displays six different carddav addresses for the collections.
But connecting to any single collection address out of these always pulls all
of the other six collections as address folders too - the address book exposes
all six collections hosted on the server in the kaddressbook folder list.
This seems to me to be a severe bug and security breach - this shouldn't be the
intended behaviour.
On my family PC where my kids will have occasional access to I certainly do not
want my jobs address collection to be exposed for reading and even worse being
subject to be deleted or changed.
To be honest I don't understand how this is even possible.
I tested this connecting with a restricted user account on the server - even in
this case I get the same result.
To ensure it's not the server messing up I tried doing the same with
thunderbird. In this case I can correctly connect to every single collection
individually without any exposure of the other collections owned by this
server's user account. Sadly I do not have the skill to pinpoint the cause of
this behaviour by kaddressbook's carddav implementation.
STEPS TO REPRODUCE
1. create multiple address collections in a carddav account (for me that's with
Synology Contacts on a NAS, DSM 7.2)
2. connect to the individual carddav server address of one of the collections
3. the connection dialog will show all collections within this user's account
OBSERVED RESULT
Every single collection is exposed with read/write permission as kaddress book
folder and can even be deleted completely from the server through kaddressbook
as they are all owned by the connecting user.
EXPECTED RESULT
Only connect to one collection when using it's carddav address and add it as a
single address folder in kaddressbook.
SOFTWARE/OS VERSIONS
Operating System: openSUSE Tumbleweed 20250325
KDE Plasma Version: 6.3.3
KDE Frameworks Version: 6.12.0
Qt Version: 6.8.2
Kernel Version: 6.13.7-1-default (64-bit)
Graphics Platform: Wayland
As said, other clients like Thunderbird do not show this behaviour not expose
additional access.
--
You are receiving this mail because:
You are watching all bug changes.
