Task #2929
closedevaluate Redmine calendar plugin
0%
Description
As discussed in our in-person meeting in Munich, we want to evalute a Redmine calendar plugin, to export the calendar and due dates as ICS/iCal.
Several plugin seem to exist (e.g. https://github.com/buschmais/redmics). One I tested in the past had weak security, by having a hash in the GET URL - this is too unsafe for us, so we need to evaluate if that problem has been resolved.
Updated by Guilhem Moulin over 4 years ago
- Status changed from New to Feedback
https://redmine.documentfoundation.org/issues/calendar has links showing the visitor's RSS key (if authenticated) https://redmine.documentfoundation.org/icalendar/all_projects/my/open/issues.ics?key=… The same key is visible in other links, for instance in the atom link at the bottom of this issue. This is not the API key and AFAIK doesn't allow user impersonation. That said, by sharing a keyed link, whether atom or ICS, one may grant read access to all private issues/comments, subject to the privileges of the key owner. (Rekeying is possible at https://redmine.documentfoundation.org/my/account .)
These parameters have also the downside of being passed on GETs, so they're showing up in the HTTPd logs. Not a big deal right now though, as only infra team members have access to these logs and we also have access to the database.
We can easily patch the source to remove the parameters in the ICS links if desired. Download will work as long as the user is authenticated, but it won't work to import from a standalone ical client or similar.
Updated by Guilhem Moulin over 4 years ago
We can easily patch the source to remove the parameters in the ICS links if desired. Download will work as long as the user is authenticated, but it won't work to import from a standalone ical client or similar.
We can also change auth medod for the /icalendar segment to use Basic HTTP Authentication (with the key as username and a dummy password) or pass the RSS key via a custom header, like what Redmine does at https://www.redmine.org/projects/redmine/wiki/Rest_api#Authentication . But that's a more disruptive change and doesn't offer much gain much IMHO.
Updated by Florian Effenberger over 4 years ago
We can easily patch the source to remove the parameters in the ICS links if desired. Download will work as long as the user is authenticated, but it won't work to import from a standalone ical client or similar.
How would that work from a calendar client then, e.g. Lightning in
Thunderbird? Would Thunderbird show me the auth dialog then?
Updated by Guilhem Moulin over 4 years ago
I mean only in the <a href=…/>, so people don't share calendar links by mistake. (The RSS key can be found in the Atom links at the the bottom of this page.) Visiting /icalendar/all_projects/all/open/issues.ics?key=… would be processed like they are right now.
Updated by Florian Effenberger over 4 years ago
So that means when I add it to my calendar client, anytime I'm on an
untrusted network, there's a decent risk someone takes my key and has
access to my ticket feed?
Updated by Guilhem Moulin over 4 years ago
Uh? Not if you use https:// , which you should anyway.
Updated by Florian Effenberger over 4 years ago
Maybe I'm lost, but if I use HTTPS with GET URLs, that's transmitted
cleartext still, and visible in logs, isn't it?
Updated by Guilhem Moulin over 4 years ago
Maybe I'm lost, but if I use HTTPS with GET URLs, that's transmitted cleartext still,
Nope :-) HTTPS is HTTP over TLS, so first you connect to the INET socket and perform a TLS handhake (passing the hostname for SNI), then start speaking HTTP over the secure channel. So the request method, path, query string, header and body are all protected from eavesdropping (and authenticated assuming the peer cert was verified or pinned). Try MiTMing curl https://https://redmine.documentfoundation.org/foo?bar&bar and see what leaks :-)
and visible in logs, isn't it?
See what I wrote in message #1: “These parameters have also the downside of being passed on GETs, so they're showing up in the HTTPd logs. Not a big deal right now though, as only infra team members have access to these logs and we also have access to the database.”
Updated by Guilhem Moulin over 4 years ago
Try MiTMing curl https://https://redmine.documentfoundation.org/foo?bar&bar and see what leaks :-)
Namely the hostname leaks to the DNS resolver (and is also visible on the wire when encrypted SNI isn't used), IP addresses and ports leak too, and that's pretty much it. This is the case whenever TLS is used as original transport on a dedicated port, so it applies to $FOO over TLS (such as imaps:// and submissions://): first the client establishes a secure channel, then start speaking $FOO. OTOH protocols using upgrades via the STARTTLS directive leak more data.
Updated by Florian Effenberger over 4 years ago
Ah, I learned something new, didn't know that :-)
See what I wrote in message #1: “These parameters have also the downside
of being passed on GETs, so they're showing up in the HTTPd logs. Not a
big deal right now though, as only infra team members have access to
these logs and we also have access to the database.”
So, if I get it right, from your POV, having the iCal plugin active with
forced HTTPS is safe, right? Then we can enable it
Updated by Guilhem Moulin over 4 years ago
- Status changed from Feedback to Closed
So, if I get it right, from your POV, having the iCal plugin active with forced HTTPS is safe, right?
I'd certainly prefer if the RSS token wasn't passed as GET parameter, but it's not worse than using RSS feed urls which are part of Redmine core. In both cases the the token doesn't leak to an eavesdropper if one uses https://. It does leak if one uses http:// (which 301-redirects to https://) though, but that would be the same if the token were passed via POST or a custom HTTP header.
Then we can enable it
It's enabled since Nov 26 / msg#1 when I switched the status of this ticket to “feedback” :-P Closing now.