Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CalDAV registry user inputs MUST be processed #152

Closed
ceceba223 opened this issue Feb 28, 2024 · 1 comment · Fixed by #155
Closed

CalDAV registry user inputs MUST be processed #152

ceceba223 opened this issue Feb 28, 2024 · 1 comment · Fixed by #155
Labels
bug Something isn't working

Comments

@ceceba223
Copy link

The Issue

I was having an issue where I was trying to connect to my radicle CalDAV server but got an error: Invalid credentials
Meanwhile the same credentials where working on other devices using other apps. This nearly drove me insane but I figured out that the CalDav credentials are actually send as an http-GET request to the backend in plain text.

GET http://mmdl-ip:3000/api/v2/caldav/register?url=http://radicle-ip:5232&=&=&=&username=my_clean_text_username&password=my_clean_text_password&accountname=test

My password contained a & sign which caused my password to look some what like this:

GET http://mmdl-ip:3000/api/v2/caldav/register?url=http://radicle-ip:5232&=&=&=&username=my_clean_text_username&password=my_clean&text_password=&accountname=test

As you can see only the first part of my password was actually being used as the password. The second part is being used as a name for an extra variable, which isn't defined.

Possible solution

The easiest solution to this, I can think of is scanning the user input for characters that might cause problems and replacing them with their respective escape character. This is how I manually solved this issue for now. So instead of using pass&word I used pass%26word.

Another fix that I think would work (I'm not an expert at this) would be using a POST request instead of a GET request.

Finally I want to say that this might be a security risk. Again I'm not an expert but trusting raw user input is rarely a good idea.
@intri-in intri-in added the bug Something isn't working label Feb 29, 2024
@intri-in
Copy link
Owner

The request must definitely be a POST and not a GET. Will fix ASAP.

intri-in pushed a commit that referenced this issue Mar 2, 2024
@aa-tree
- Fixed #152
9d1fee9 
    - Now Caldav registration is done via a POST request.
- Fixed problems of duplication of calendars post adding a new CalDAV account.
- Fixed list of caldav accounts not updating after adding or deleting a caldav account.
- Fixed Force sync button's function in /accounts/caldav page.
- Logout now deletes the local dexie db for security.
intri-in added a commit that referenced this issue Mar 2, 2024
@intri-in
Merge pull request #153 from intri-in/apiFix_Registration
7b7c2d3 
- Fixed #152
@intri-in intri-in mentioned this issue Mar 2, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

v0.4.5 intri-in/manage-my-damn-life-nextjs
2 participants
@ceceba223 @intri-in