tobixen
commented
3 years ago ouch, this is indeed a bug.
Closed Feandil closed 3 years ago
tobixen
commented
3 years ago ouch, this is indeed a bug.
tobixen
commented
3 years ago I'm not able to think very straight those days due to a confirmed case of covid ... but I think that throughout the caldav library, the default URL for a calendar event is {url_to_calendar}/{uid}.ics - which of course breaks when there are slashes in the uid. If I've understood the RFCs correct, it's totally up to the client what filename to give when saving a calendar event. So the solution may be to find the place in the code where the URL is made up, and run some algorithm to make the uuid into some legit unique file name. Or perhaps use some uuid generated by the library as the file name, if the given uuid contains invalid characters. What do you think?
Feandil
commented
3 years ago Ow, I'm sorry to learn about your health issues. Take care of yourself! I don't think that this bug is urgent (and with an obvious work around: not using URLs as UIDs... ;) )
After digging around (looking e.g. at the davx5 implementation & the library used there), I think I see two bugs, but I'm not 100% sure...
{url_to_calendar}/{uid}.ics fails if {uid} is weird enough, esp. if it contains / (I wonder what other cases could trigger interesting behaviour (e.g. uid set to @example.com/avc?). As you said, I think (with my limited knowledge and experience of CalDAV) there are two options here, both relying on validating the UUID and if it's weird enough, pick one of:
mhthies
commented
3 years ago I have a similar problem while trying to sync existing iCal data to a Nextcloud CalDAV server:
Events with any number of slashes in their UID result in an HTTP 404 error due to the additional slashes in the URL of the PUT request.
After digging around in the code of python-caldav, I found out the urllib's quote() is already being used for creating the PUT URL. However, it's used with its default parameters, i.e. safe="/", i.e. slashes are not escaped.
I experimentally changed that to safe="" and ran into new problems, since my Apache Webserver (or something of the mod_proxy or mod_proxy_fcgi), working as a Reverse-Proxy in front of my Nextcloud server, obviously does not like single-encoded slashes in the request URL. It returned an HTTP 404 before even passing the request to Nextcloud.
I ended up doing double-URL-escaping slashes in the UID ('/' ⇒ %252F) and normal URL-escaping for all the other reserved characters, by adding a simple .replace('/', '%2F') to the CalendarObjectResource._create() method:
if path is None:
path = quote(id.replace('/', '%2F')) + ".ics"This solves the issue in my case.
tobixen
commented
3 years ago I don't see any issues with double-quoting slashes there.
Still, once again I seem unable to wrap my head completely around this issue ... I feel a bit uncertain if the fix I just pushed is a complete fix that solves all kind of weird characters in the UID (another rare corner case that may need handling: extremely long UIDs ... and perhaps most important, cases where the quoted UID matches some existing file name on the server - that could potentially be a security flaw), or if it's just a partial fix that solves issues with slashes in the UID.
mhthies
commented
3 years ago I don't see any issues with double-quoting slashes there.
I must admit, that I didn't read into the CalDAV standards yet, with respect to the actual meaning of the URLs and the requirements imposed on them.
If they need to be collision-free between different calendar objects (i.e. different UIDs) the double-quoting of (only) the slashes (as I demonstrated above), will violate that in certain cases: It results in the (probably rare) collission between a UID with an already quoted slash and a similar UID with a literal slash in the same location.
tobixen
commented
3 years ago I think I will just call it a day on this issue and close it, even if it possibly ought to be researched more.
Hi!
While trying to debug support within OX of events with UIDs containing a
/(URLs), I triggered the following error (XXXX & XXX were replaced by me):The steps to reproduce are non trivial:
//in the UIDAccording to what I can read in rfc5545, UIDs are "text" for which
//seems to be legit, but caldav/lib/url.py doesn't seem to like that...(side note: amusingly, trying to save this eveng with caldav triggers a PUT on
/dav/caldav/XXX/https%3A//example.com/abcdef.icswhich itself triggers a 404 on our local OX installation, so support for//in UID doesn't seem great in general...)