Subscription of password-protected calendars fails

I’m new to Nextcloud and currently evaluating it.
My version is 16.0.4 and the calendar app is 1.7.0.

In the calendar app, I’m trying to subscribe to external calendars, where access requires username and password, such as the Horde calendar or a DAViCal calendar.
Therefore, the URL has the structure https://<username>:<password>@<host>/<path>.
The subscribed calendar shows up with an exclamation mark, but the entries do not show up. Hovering over the exclamation mark says
Some events in this calendar are broken. Please check the JS console for more info.

The console of Firefox only says: <unavailable> and app.min.js:1:85293.
Edge is more specific and tells that it got an HTTP status of 401.

So, I digged somewhat deeper:

  • I find the whole URL including the password in the database (table oc_calendarsubscriptions).
  • The passwort-part of the URL is lost, when the public function proxy($url) in file apps/calendar/controller/proxycontroller.php is called. The username is still in the URL.
    I checks this by inserting a debug message in the mentioned function.

Conclusion:
The password is stripped of somewhere between the database and the actual use of the URL.

Question:
What can I do about this?
Is there any configuration parameter to prevent the strip-off of the password?

Subscribing to external calendars is every important to us. And they are all protected by passwords.

Thanks for any advice
cetz

this looks really strange to me. but i’m no expert in this kind of things. i’d say it would need to avoid the 2nd // making it a http://<username>:<password>@<host>/<path> (and try https as well)

@JimmyKater: Sorry, both, the missing https and the “double double-slash” were typos, only in this message and corrected meanwhile.

And yes, I also tested with http (intentionally without s): Same result.

Regards,
Christopher

1 Like

I am also seeing this. A password-protected URL fails to load after adding. It appears to strip the password when attempting to load the details after adding the subscription, giving 401s. Possibly a security feature of NextCloud stripping password out of returned URLs?

Hi!
same here… any ideas about how to fix it?

Ok, I’m getting this as well.

I wasn’t sure what was wrong, until I clicked on the subscribed Calendar and looked at the iCal link. The Calendar app is stripping the :password from the url and saving it.

So this…

https://<username>:<password>@<host>/<path>

… checks out and the app adds it, but when it saves it it saves like…

https://<username>@<host>/<path>

…so it 401 errors when it tries to actually load the data.

I am sorry I can’t help fixing this, but:

That is actually not entirely true: the app displays it like you wrote without password, but the complete link including the password is stored in the database table [PREFIX]calendarsubscriptions.
From a security point of view one could say, that not displaying a cleartext password is desired behaviour.

To work around this for now I set up a reverse proxy in front of the password protected URL

Sure, you’re right there, however I have also traced the network requests and noted there is no password in the actual request sent to the remote CalDAV either, so it is actually missing this.

Though my initial statement was invalid as you stated.

1 Like

I think an issue ticket already exists which addresses this problem.