Menu

#2381 Public Access Override Text not functioning properly: Bumped

Security_Hole
open
Craig Knudsen
Security (98)
5
2009-01-08
2008-10-09
Daniel O'Donnell
No

I am using release 1.2.0 (2008-09-28 01:02).

When in System Settings > Public Access I set "Override event name/description for public access" to "yes" and then provide an override text in the next line, I get the following behaviour when I access the public access calendar:

In all the "My Calendar" Views except Year (of course), the appointment shows up with the Name (not the override text) visible on the appropriate date and att the appropriate time. If I hold the mouse over the item, the title and full description appear in the tool tip.

The override text is only used if I then click on the item to see its properties.

This is pretty obviously not the desired behaviour: the override text should be used everywhere on the Public Access Calendar. If the public user can see the title and description from the main calendar pages, there is no point restricting access to it when he clicks on one of the links.

I've listed this as a security hole because it means that users are displaying potentially private information when they settings wizard is assuring them that they are masking this information.

Discussion

  • Craig Knudsen

    Craig Knudsen - 2008-10-20
    • status: open --> pending
     

  • SourceForge Robot

    SourceForge Robot - 2008-11-21
    • status: pending --> closed
     

  • SourceForge Robot

    SourceForge Robot - 2008-11-21

    This Tracker item was closed automatically by the system. It was
    previously set to a Pending status, and the original submitter
    did not respond within 30 days (the time period specified by
    the administrator of this Tracker).

     

  • Daniel O'Donnell

    Daniel O'Donnell - 2009-01-08
    • summary: Public Access Override Text not functioning properly --> Public Access Override Text not functioning properly: Bumped
    • status: closed --> open
     

  • Daniel O'Donnell

    Daniel O'Donnell - 2009-01-08

    I'm bumping this to open again--it really is a pretty serious user security issue. I'm not sure what request I failed to respond to. I don't see anything in my mail.

    The issue again is that public calendars don't use the override text on the main calendar page or the tool tip: the override text only shows up if you click on a specific entry. This means that the content of the event is visible to the public user from the main interface and is only hidden if they do something after reading ALL details of the event. This makes it impossible to use as a public calendar in any situation where you need to show free/busy but not details (unless all entries are set to private).

     

  • Daniel O'Donnell

    Daniel O'Donnell - 2009-01-08
    • labels: 345356 --> Security
     

Log in to post a comment.