It was reported [1] that the Claws vCalendar plugin stored usernames and passwords on-disk in cleartext format. Typically ~/.claws-mail should be mode 0750 and owned by the user so there should be no casual "leaking" of credentials; likewise most home directories on Fedora should be mode 0700. Yet Claws should ideally not be storing these credentials in cleartext. [1] http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=3099
Created claws-mail tracking bugs for this issue: Affects: fedora-all [bug 1074685] Affects: epel-all [bug 1074686]
Could this ticket be kept accurate about describing the real issue? I've been following the upstream ticket as a subscriber of a ML, and it has been said that the credentials only enter a non-encrypted cache file if specified inside an URI user:pass@server.
Not only the cache file, but the URI (as you described) is stored in the folder list in .claws-mail folder in full and plain form. HTTP-authenticated access to calendar is currently not possible any other way.
I don't believe the initial description was "inaccurate". Perhaps it didn't provide all the details as in the upstream bug, but that's why the upstream bug was linked.