0010602: malformed http request causes complete calendar de-sync

[Gloirin]

Reported by mdik on 19 Dec 2014 16:56

Version: Kristina (2013.03.8)

An HTTP request stemming from KDE's Akonadi system which got fed by an ics file with a recurrence id as for example "RECURRENCE-ID;TZID=W. Europe Standard Time:20141218T160000" leads to complete de-sync.

Other groupware software handles this better in my opinion because they just fail the entering of this specific event, but continue working apart from this.

Steps to reproduce: Accept an invitation via Akonadi system with triggering recurrence id.

The resulting HTTP request looks something like 192.168.1.11 - user1 [05/Dec/2014:10:23:41 +0000] "PUT /calendars/da39a3ee5e6b4b0d3255bfef95601890afd80709/40/e3b0c442-98fc-1c14-9afb-f4c8996fb9242014-12-04T16:00:00+01:00.ics HTTP/1.1" 500 2219 "-" "Mozilla/5.0 (X11; Linux x86_64) KHTML/4.13.3 (like Gecko) Konqueror/4.13"

(note the "2014-12-04T16:00:00+01:00.ics" at the end of the url)

Additional information: Cross-reported at bugs.kde.org https://bugs.kde.org/show_bug.cgi?id=342031

[Gloirin]

Comment posted by ingoratsdorf on 21 Dec 2014 19:12

Tine20 DOES basically ignore the request and sends back a 500 Server error. I would have to dig whether this is implicitly wanted and or just a result of the illegal request.

However unfortunately KDE Akonadi Groupdav resource is well known for this for years. I reported several related bugs in KDE. The resource simply cannot handle sync errors without breaking. It then goes into offline mode and that's the end of it until you delete and recreate the resource.

I suggest you vote for this one: https://bugs.kde.org/show_bug.cgi?id=338570

Related: https://bugs.kde.org/show_bug.cgi?id=335090

[Gloirin]

Comment posted by mdik on 23 Dec 2014 10:43

Ok. This sounds discouraging.

One thing I forgot: I tried to mitigate by a special RewriteRule in the .htaccess: RewriteRule ^calendars([-a-zA-Z0-9/]+)(20[0-9]{2}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:[0-9]{2}+[0-9]{2}:[0-9]{2})?.ics /index.php?frontend=webdav$1.ics [E=REMOTE_USER:%{HTTP:Authorization},L,QSA]

The idea was to just cut off the excess timestamp Akonadi appends to the URL. It does prevent the complete de-sync, but it also does prevent events from being added to the calendar <-: Anyway, that's the best I could do. Comments on how to improve it would be deeply appreciated!

[Gloirin]

Comment posted by ingoratsdorf on 6 Jan 2015 02:49

To be perfectly honest, I think the bug should be closed for Tine20. Quote: "Other groupware software handles this better in my opinion because they just fail the entering of this specific event, but continue working []".

Well, Tine20 continues to work and quits the illegal request with a 500 Server error, however Akonadi groupdav cannot handle a 500, only 501-504,507 and 511.

While (in theory) a response of 400 may be more suitable (as it is not really a server error but a client error), Akonadi groupdav also cannot handle this one, again only >=401.

Ref: https://projects.kde.org/projects/kde/kdepim-runtime/repository/revisions/c9a781f5b61813da80a31793bb6ce90b6f2e9046/entry/resources/dav/common/davjobbase.cpp

Ref: https://tools.ietf.org/html/rfc7231#section-6.5.1

[Gloirin]

Comment posted by pschuele on 6 Jan 2015 09:49

hi guys,

I'll discuss this issue with the team. maybe it is possible to return with a different error code here.

[Gloirin]

Comment posted by mdik on 9 Jan 2015 13:09

That'd be nice. Until then, could you tell me where in the code I could change that myself? For testing and as immediate remedy.

Thanks!

[Gloirin]

Comment posted by mdik on 27 Jan 2015 10:02

Short update. For another issue I looked into the most recent version of tine 2014.09.7. The issue persists, but instead of error 500, the culprit is now 412.