Mishandling of @ (at sign) in WebDAV contacts username (wrong DNS query)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
evolution-data-server |
Fix Released
|
Medium
|
|||
evolution-data-server (Ubuntu) |
Fix Released
|
Low
|
Ubuntu Desktop Bugs |
Bug Description
Binary package hint: evolution-
Steps to reproduce:
1. Set up a WebDAV contacts store with a username with an @ in it (e.g.
<email address hidden>). I'm using Zimbra.
2. In Evolution, create a new address book of type WebDAV and click OK:
Example URL: https://<email address hidden>/Contacts
Example Username: <email address hidden>
Expected result:
- contact super-awesomeness
- Evolution looks up hostdomain.com, asks for a password, authenticates with
<email address hidden> and the password, and requests the resource at
<email address hidden>/Contacts
Actual result:
- Evolution pops up a dialogue with:
Unable to perform search.
This query did not complete successfully.
- evolution-
(process:18068): libebookbackend
with http status 2
- Wireshark reveals that e-d-s tried to perform DNS lookups for
<email address hidden>. Unsurprisingly, it failed.
It looks like maybe e-d-s is wedging the username into the front of the URL in
the format https://<email address hidden> without escaping the @, resulting in
this case in <email address hidden>
username as myname and the domain as <email address hidden>. If not, I
can't imagine what sort of crack is going on here.
Worth noting that the same credentials work fine for the other DAV stores
(calendaring, tasks).
Related branches
Changed in evolution-data-server (Ubuntu): | |
status: | New → Triaged |
importance: | Undecided → Low |
assignee: | nobody → Ubuntu Desktop Bugs (desktop-bugs) |
Changed in evolution-data-server: | |
status: | Unknown → New |
Changed in evolution-data-server: | |
status: | New → Fix Released |
Changed in evolution-data-server: | |
importance: | Unknown → Medium |
Using 9.10 64-bit, evolution- data-server 2.28.
Also reported upstream.