[kde] [Bug 505118] New: kioworker accessing nextcloud CalDAV without credentials triggers bruteforce detection

Mon, 02 Jun 2025 01:01:27 -0700 

https://bugs.kde.org/show_bug.cgi?id=505118

            Bug ID: 505118
           Summary: kioworker accessing nextcloud CalDAV without
                    credentials triggers bruteforce detection
    Classification: I don't know
           Product: kde
      Version First unspecified
       Reported In:
          Platform: Other
                OS: Linux
            Status: REPORTED
          Severity: normal
          Priority: NOR
         Component: general
          Assignee: unassigned-b...@kde.org
          Reporter: stack-...@craban.de
  Target Milestone: ---

SUMMARY
After upgrading my nextcloud instance, which now has bruteforce detection
(https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/bruteforce_configuration.html),
I noticed that I am constantly hitting the rate limit. After looking at my
nginx (reverse proxy) logs, I noticed that kioworker seems to be the culprit.
Every request is first attempted without credentials, leading to 401
Unauthorized.

Here a pseudonymized except from the nginx logs:

```
A.B.C.D - - [02/Jun/2025:09:40:03 +0200] "PROPFIND /remote.php/dav/ HTTP/1.1"
401 596 "-" "Mozilla/5.0 (X11; Linux x86_64) KIO/6.14 kioworker/6.14.0"
A.B.C.D - peter [02/Jun/2025:09:40:12 +0200] "PROPFIND /remote.php/dav/
HTTP/1.1" 207 309 "-" "Mozilla/5.0 (X11; Linux x86_64) KIO/6.14
kioworker/6.14.0"
A.B.C.D - - [02/Jun/2025:09:40:13 +0200] "PROPFIND
/remote.php/dav/principals/users/peter/ HTTP/1.1" 401 596 "-" "Mozilla/5.0
(X11; Linux x86_64) KIO/6.14 kioworker/6.14.0"
A.B.C.D - peter [02/Jun/2025:09:40:17 +0200] "PROPFIND
/remote.php/dav/principals/users/peter/ HTTP/1.1" 207 292 "-" "Mozilla/5.0
(X11; Linux x86_64) KIO/6.14 kioworker/6.14.0"
A.B.C.D - - [02/Jun/2025:09:40:17 +0200] "PROPFIND
/remote.php/dav/calendars/peter/ HTTP/1.1" 401 596 "-" "Mozilla/5.0 (X11; Linux
x86_64) KIO/6.14 kioworker/6.14.0"
A.B.C.D - peter [02/Jun/2025:09:40:21 +0200] "PROPFIND
/remote.php/dav/calendars/peter/ HTTP/1.1" 207 1028 "-" "Mozilla/5.0 (X11;
Linux x86_64) KIO/6.14 kioworker/6.14.0"
A.B.C.D - - [02/Jun/2025:09:42:57 +0200] "PROPFIND /remote.php/dav/ HTTP/1.1"
401 596 "-" "Mozilla/5.0 (X11; Linux x86_64) KIO/6.14 kioworker/6.14.0"
A.B.C.D - peter [02/Jun/2025:09:43:01 +0200] "PROPFIND /remote.php/dav/
HTTP/1.1" 207 309 "-" "Mozilla/5.0 (X11; Linux x86_64) KIO/6.14
kioworker/6.14.0"
A.B.C.D - - [02/Jun/2025:09:43:01 +0200] "PROPFIND
/remote.php/dav/principals/users/peter/ HTTP/1.1" 401 596 "-" "Mozilla/5.0
(X11; Linux x86_64) KIO/6.14 kioworker/6.14.0"
A.B.C.D - peter [02/Jun/2025:09:43:05 +0200] "PROPFIND
/remote.php/dav/principals/users/peter/ HTTP/1.1" 207 292 "-" "Mozilla/5.0
(X11; Linux x86_64) KIO/6.14 kioworker/6.14.0"
A.B.C.D - - [02/Jun/2025:09:43:05 +0200] "PROPFIND
/remote.php/dav/calendars/peter/ HTTP/1.1" 401 596 "-" "Mozilla/5.0 (X11; Linux
x86_64) KIO/6.14 kioworker/6.14.0"
A.B.C.D - peter [02/Jun/2025:09:43:09 +0200] "PROPFIND
/remote.php/dav/calendars/peter/ HTTP/1.1" 207 1028 "-" "Mozilla/5.0 (X11;
Linux x86_64) KIO/6.14 kioworker/6.14.0"
```

I added my nextcloud account in the "Online Accounts" settings option and am
synchronizing my calendars with caldav.

I suppose the correct behavior of kioworker should be to use the credentials by
default and not as a fallback.


SOFTWARE/OS VERSIONS
Linux/KDE Plasma: KDE Neon based on Ubuntu 24.04
KDE Plasma Version: 6.3.5
KDE Frameworks Version: 6.14.0
Qt Version: 6.9.0

-- 
You are receiving this mail because:
You are watching all bug changes.

Reply via email to