Bug 57248 - WebDAV: don't send Basic Auth via http
Summary: WebDAV: don't send Basic Auth via http
Status: RESOLVED FIXED
Alias: None
Product: SyncEvolution
Classification: Unclassified
Component: CalDAV/CardDAV (show other bugs)
Version: unspecified
Hardware: Other All
: high major
Assignee: Patrick Ohly
QA Contact:
URL:
Whiteboard: 13x
Keywords:
Depends on:
Blocks:
 
Reported: 2012-11-18 13:40 UTC by Patrick Ohly
Modified: 2015-03-03 08:31 UTC (History)
1 user (show)

See Also:
i915 platform:
i915 features:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Patrick Ohly 2012-11-18 13:40:09 UTC
SyncEvolution sends Basic Auth in its initial request, to avoid round-trips. If http with Digest Auth is used, then this behavior exposes the credentials. SyncEvolution should only send Basic Auth over https.

See bug #56240 comment #4.
Comment 1 Patrick Ohly 2013-03-05 12:30:26 UTC
Fix is in master, will be in 1.3.99.3:

commit 68ef2f37dd2490e90fc3dad4b97d8ab3e893f108
Author: Patrick Ohly <patrick.ohly@intel.com>
Date:   Mon Mar 4 07:05:56 2013 -0800

    WebDAV: don't send Basic Auth via http (FDO #57248)
    
    Sending basic authentication headers via http is insecure.
    Only do it when the connection is encrypted and thus
    protects the information.
Comment 2 Patrick Ohly 2015-03-03 08:31:09 UTC
The commit introduced a regression, fixed in this:

    WebDAV: send Basic Auth via http in some cases (FDO #57248)
    
    It turned out that finding databases on an Apple Calendar server accessed via
    http depends on sending Basic Auth even when the server does not ask for it:
    without authentication, there is no information about the current principal,
    which is necessary for finding the user's databases.
    
    To make this work again, sending the authentication header is now forced for
    plain http if (and only if) the request which should have returned the
    principal URL fails to include it. This implies sending the same request
    twice, but as this scenario should be rare in practise (was only done for
    testing), this is acceptable.


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.