View Issue Details

IDProjectCategoryView StatusLast Update
0003696SOGoBackend Calendarpublic2018-12-04 08:23
ReporterJens Erat Assigned Toludovic  
Status resolvedResolutionfixed 
Product Version2.3.9 
Summary0003696: Meta information can be derived from UID/DTSTAMP attributes though "View the Date & Time" restricted access

It is possible to derive meta information from free/busy views with reasonable amount of work. In especially, one can derive common appointments between other people even if permissions are restricted to 'View the Date & Time' by joining appointments of all users.

Fetching all appointments is a rather uncomplicated task through some scripts walking through user search and CalDAV.

The 'View the Date & Time' permissions should also hide UID and DTSTAMP, or provide faked values that prevent such joins. RFC 2445 marks those as optional.

If the UID field is required in practice to have a permanent value, a derived UID like one calculated from sha256(calendar_owner + salt + original_uid) with a per-user or per-server salt could be applied. DTSTAMP seems a little more difficult to be faked.

An example when this might be critical is if you make an appointment with the workers' council, which your boss might not like.

I did not verify whether the values can be accessed through CalDAV and the XML feed, but are definitely available in the ICS feed.

TagsNo tags attached.




2016-05-27 14:57

administrator   ~0010227

See 0003695

Issue History

Date Modified Username Field Change
2016-05-25 12:35 Jens Erat New Issue
2016-05-27 14:57 ludovic Note Added: 0010227
2016-05-27 14:57 ludovic Status new => resolved
2016-05-27 14:57 ludovic Resolution open => fixed
2016-05-27 14:57 ludovic Assigned To => ludovic