fix minor password disclosure in system tray, see security bug 443500

Package-Manager: portage-2.1.11.31/cvs/Linux i686
Manifest-Sign-Key: 0x2B859DE3

1 files changed, 150 insertions, 0 deletions

diff --git a/mail-client/claws-mail-vcalendar/files/claws-mail-vcalendar-2.0.13_password-disclosure.patch b/mail-client/claws-mail-vcalendar/files/claws-mail-vcalendar-2.0.13_password-disclosure.patch
new file mode 100644
index 000000000000..4bea430cd31c
--- /dev/null
+++ b/mail-client/claws-mail-vcalendar/files/claws-mail-vcalendar-2.0.13_password-disclosure.patch
@@ -0,0 +1,150 @@
+In some instances, it might be the case that the only possible way to access a
+calendaring service is through https, and in such cases, the only way to
+authenticate (at least within the confines of vCalendar) is by embedding the
+username:password into the ics URL and/or have a 'private' url that shouldn't
+be shared.  
+
+In either case, after configuring a calendar and trying to access it, the full
+url is displayed in the status tray when trying to poll the calendar, something
+like:
+
+Fetching 'https://user:password@server.example.com/location/of/my/Calendar'...
+
+Thus, use of the vCalendar plugin really isn't suitable or secure for such
+configurations!  In the scenarios above, the former is more of a concern but
+neither is one you'd necessarily want to expose to prying eyes.  Even a google
+calendar "private url", for example, is visible it its entirety within the
+status tray.
+
+SOLUTION:
+Simply display the name that user has given to the calendar subscription in the
+tray instead.  Instead of what is currently displayed, just display something
+like
+
+Fetching 'My Enterprisey Collaboration Suite Calendar..."
+Fetching 'Google Calendar'...
+
+Upstream bug report: http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=2782
+Gentoo bug report: https://bugs.gentoo.org/show_bug.cgi?id=443500
+
+--- src/vcal_folder.c	11 Jul 2012 22:01:23 -0000	1.2.2.120
++++ src/vcal_folder.c	16 Nov 2012 09:03:33 -0000	1.2.2.121
+@@ -1609,7 +1609,7 @@
+ 	return GINT_TO_POINTER(0);
+ }
+ 
+-gchar *vcal_curl_read(const char *url, gboolean verbose, 
++gchar *vcal_curl_read(const char *url, const gchar *label, gboolean verbose, 
+ 	void (*callback)(const gchar *url, gchar *data, gboolean verbose, gchar *error))
+ {
+ 	gchar *result;
+@@ -1618,25 +1618,19 @@
+ 	pthread_t pt;
+ 	pthread_attr_t pta;
+ #endif
+-	gchar *msg;
+ 	void *res;
+ 	gboolean killed;
+ 	gchar *error = NULL;
+ 	result = NULL;
+ 	td = g_new0(thread_data, 1);
+-	msg = NULL;
+ 	res = NULL;
+ 	killed = FALSE;
+-	
++
+ 	td->url  = url;
+ 	td->result  = NULL;
+ 	td->done = FALSE;
+-	
+-	msg = g_strdup_printf(_("Fetching '%s'..."), url);
+-	
+-	STATUSBAR_PUSH(mainwindow_get_mainwindow(), msg);
+-	
+-	g_free(msg);
++
++	STATUSBAR_PUSH(mainwindow_get_mainwindow(), label);
+ 
+ #ifdef USE_PTHREAD
+ 	if (pthread_attr_init(&pta) != 0 ||
+@@ -1868,7 +1862,8 @@
+ static void update_subscription(const gchar *uri, gboolean verbose)
+ {
+ 	FolderItem *item = get_folder_item_for_uri(uri);
+-	
++	gchar *label;
++
+ 	if (prefs_common_get_prefs()->work_offline) {
+ 		if (!verbose || 
+ 		!inc_offline_should_override(TRUE,
+@@ -1882,7 +1877,11 @@
+ 			return;
+ 	}
+ 	main_window_cursor_wait(mainwindow_get_mainwindow());
+-	vcal_curl_read(uri, verbose, update_subscription_finish);
++
++	label = g_strdup_printf(_("Fetching calendar for %s..."), 
++			item && item->name ? item->name : _("new subscription"));
++	vcal_curl_read(uri, label, verbose, update_subscription_finish);
++	g_free(label);
+ }
+ 
+ static void check_subs_cb(GtkAction *action, gpointer data)
+Index: src/vcal_folder.h
+===================================================================
+RCS file: //plugins/vcalendar/src/vcal_folder.h,v
+retrieving revision 1.1.2.15
+retrieving revision 1.1.2.16
+diff -u -B -u -r1.1.2.15 -r1.1.2.16
+--- src/vcal_folder.h	6 Nov 2011 12:06:21 -0000	1.1.2.15
++++ src/vcal_folder.h	16 Nov 2012 09:03:33 -0000	1.1.2.16
+@@ -36,7 +36,7 @@
+ void vcal_folder_export(Folder *folder);
+ 
+ gboolean vcal_curl_put(gchar *url, FILE *fp, gint filesize, const gchar *user, const gchar *pass);
+-gchar *vcal_curl_read(const char *url, gboolean verbose, 
++gchar *vcal_curl_read(const char *url, const gchar *label, gboolean verbose, 
+ 	void (*callback)(const gchar *url, gchar *data, gboolean verbose, gchar
+ 		*error));
+ gchar* get_item_event_list_for_date(FolderItem *item, EventTime date);
+Index: src/vcal_meeting_gtk.c
+===================================================================
+RCS file: //plugins/vcalendar/src/vcal_meeting_gtk.c,v
+retrieving revision 1.1.2.95
+retrieving revision 1.1.2.96
+diff -u -B -u -r1.1.2.95 -r1.1.2.96
+--- src/vcal_meeting_gtk.c	30 Oct 2011 10:12:54 -0000	1.1.2.95
++++ src/vcal_meeting_gtk.c	16 Nov 2012 09:03:33 -0000	1.1.2.96
+@@ -1085,7 +1085,7 @@
+ 
+ 		if (!local_only) {
+ 			remail = g_strdup(email);
+-			g_free(email);
++
+ 			extract_address(remail);
+ 			if (strrchr(remail, ' '))
+ 				user = g_strdup(strrchr(remail, ' ')+1);
+@@ -1125,17 +1125,22 @@
+ 			&& strncmp(tmp, "ftp://", 6))
+ 				contents = file_read_to_str(tmp);
+ 			else {
++				gchar *label = g_strdup_printf(_("Fetching planning for %s..."), email);
+ 				if (!strncmp(tmp, "webcal://", 9)) {
+ 					gchar *tmp2 = g_strdup_printf("http://%s", tmp+9);
+ 					g_free(tmp);
+ 					tmp = tmp2;
+ 				}
+-				contents = vcal_curl_read(tmp, FALSE, NULL);
++				contents = vcal_curl_read(tmp, label, FALSE, NULL);
++				g_free(label);
+ 			}
+ 		} else {
+ 			contents = NULL;
+ 		}
++
++		g_free(email);
+ 		g_free(tmp);
++
+ 		if (contents == NULL) {
+ 			uncertain = TRUE;
+ 			att_update_icon(meet, attendee, 2, _("Free/busy retrieval failed"));