search

intri-in / manage-my-damn-life-nextjs

Manage My Damn Life (MMDL) is a self-hosted front end for managing your CalDAV tasks and calendars.
https://intri.in/manage-my-damn-life/
GNU General Public License v3.0
199 stars 8 forks source link

CalDAV registry user inputs MUST be processed #152

Closed ceceba223 closed 9 months ago

ceceba223 commented 9 months ago

The Issue

I was having an issue where I was trying to connect to my radicle CalDAV server but got an error: Invalid credentials Meanwhile the same credentials where working on other devices using other apps. This nearly drove me insane but I figured out that the CalDav credentials are actually send as an http-GET request to the backend in plain text. 

GET http://mmdl-ip:3000/api/v2/caldav/register?url=http://radicle-ip:5232&=&=&=&username=my_clean_text_username&password=my_clean_text_password&accountname=test

My password contained a & sign which caused my password to look some what like this:

GET http://mmdl-ip:3000/api/v2/caldav/register?url=http://radicle-ip:5232&=&=&=&username=my_clean_text_username&password=my_clean&text_password=&accountname=test

As you can see only the first part of my password was actually being used as the password. The second part is being used as a name for an extra variable, which isn't defined.

Possible solution

The easiest solution to this, I can think of is scanning the user input for characters that might cause problems and replacing them with their respective escape character. This is how I manually solved this issue for now. So instead of using pass&word I used pass%26word.

Another fix that I think would work (I'm not an expert at this) would be using a POST request instead of a GET request.

Finally I want to say that this might be a security risk. Again I'm not an expert but trusting raw user input is rarely a good idea.

intri-in commented 9 months ago

The request must definitely be a POST and not a GET. Will fix ASAP.