[GH-ISSUE #152] Handling of URL encoding in REPORT request #148

New issue

Closed

opened 2026-02-25 20:31:00 +03:00 by kerem · 9 comments

kerem commented 2026-02-25 20:31:00 +03:00

Owner

Copy link

Originally created by @peter-mogensen on GitHub (Aug 10, 2016).
Original GitHub issue: https://github.com/aluxnimm/outlookcaldavsynchronizer/issues/152

Hi,

Sending REPORT request to a CalDAV server where the encoding in the Request-URI does not match the one used for URLs in elements is illegal (according to RFC4918, section 8.3 )

It seems this happens for this client when the Calendar Collection URL contains "@".

Like this - in summary:

C: REPORT:calendar-query /calendars/users/me@domain/calendar/
----------------------------------------------------------------
<?xml version="1.0"?>
                     <C:calendar-query 
xmlns:C="urn:ietf:params:xml:ns:caldav">
                         <D:prop xmlns:D="DAV:">
                             <D:getetag/>
                         </D:prop>
                         <C:filter>
                             <C:comp-filter name="VCALENDAR">
                                 <C:comp-filter name="VEVENT">
                                   <C:time-range 
start="20160611T000000Z" end="20170207T000000Z"/>
                                 </C:comp-filter>
                             </C:comp-filter>
                         </C:filter>
                     </C:calendar-query>
-----------------------------------------------------------------

S: 207 - Here's a bunch of hrefs of the form:
    <href>/calendars/users/me%40domain/calendar/blabla.ics</href>

C: REPORT:calendar-multiget /calendars/users/me@domain/calendar/
    <href>/calendars/users/me%40domain/calendar/blabla.ics</href
    ...

The last Request is illegal and results in a bunch of "Bad Request" responses.

Originally created by @peter-mogensen on GitHub (Aug 10, 2016). Original GitHub issue: https://github.com/aluxnimm/outlookcaldavsynchronizer/issues/152 Hi, Sending REPORT request to a CalDAV server where the encoding in the Request-URI does not match the one used for URLs in <href> elements is illegal (according to RFC4918, section 8.3 ) It seems this happens for this client when the Calendar Collection URL contains "@". Like this - in summary: ``` C: REPORT:calendar-query /calendars/users/me@domain/calendar/ ---------------------------------------------------------------- <?xml version="1.0"?> <C:calendar-query xmlns:C="urn:ietf:params:xml:ns:caldav"> <D:prop xmlns:D="DAV:"> <D:getetag/> </D:prop> <C:filter> <C:comp-filter name="VCALENDAR"> <C:comp-filter name="VEVENT"> <C:time-range start="20160611T000000Z" end="20170207T000000Z"/> </C:comp-filter> </C:comp-filter> </C:filter> </C:calendar-query> ----------------------------------------------------------------- S: 207 - Here's a bunch of hrefs of the form: <href>/calendars/users/me%40domain/calendar/blabla.ics</href> C: REPORT:calendar-multiget /calendars/users/me@domain/calendar/ <href>/calendars/users/me%40domain/calendar/blabla.ics</href ... ``` The last Request is illegal and results in a bunch of "Bad Request" responses.

kerem closed this issue 2026-02-25 20:31:00 +03:00

kerem commented 2026-02-25 20:31:00 +03:00

Author

Owner

Copy link

@aluxnimm commented on GitHub (Aug 10, 2016):

We had some issues with older Owncloud servers and double encoding or wrong encodings in hrefs from server responses. What server are you using? What happens if you use the %40 inside the DAV url when configuring the sync profile?

<!-- gh-comment-id:239009376 --> @aluxnimm commented on GitHub (Aug 10, 2016): We had some issues with older Owncloud servers and double encoding or wrong encodings in hrefs from server responses. What server are you using? What happens if you use the %40 inside the DAV url when configuring the sync profile?

kerem commented 2026-02-25 20:31:00 +03:00

Author

Owner

Copy link

@peter-mogensen commented on GitHub (Aug 11, 2016):

It's Apples CalendarServer.

I've confirmed with Apple that it is intented behavior of the server to reply with %40 even if the Request-URI is "@".
So the Outlook plugin needs to parse the returned hrefs and formulate the next request so Request-URI matches the href in the multiget body.

Using %40 when configuring is a work-around at present it seems.
But that would in principle require that the server also replies with %40 during any auto-discovery (via DNS and .well-known) ... I believe the CalendarServer does this, but one could probably not in general relying on servers doing that.

BTW ... We've tested this on an Windows 10/ Outlook 2016 and I have followed the link form sourceforge to here, so I assume this is the source code. Please excuse me if there has been forks of the sourceforge project and I'm posting this the wrong place.
https://sourceforge.net/projects/outlookcaldavsynchronizer/

<!-- gh-comment-id:239080596 --> @peter-mogensen commented on GitHub (Aug 11, 2016): It's Apples CalendarServer. I've confirmed with Apple that it is intented behavior of the server to reply with %40 even if the Request-URI is "@". So the Outlook plugin needs to parse the returned hrefs and formulate the next request so Request-URI matches the href in the multiget body. Using %40 when configuring is a work-around at present it seems. But that would in principle require that the server also replies with %40 during any auto-discovery (via DNS and .well-known) ... I believe the CalendarServer does this, but one could probably not in general relying on servers doing that. BTW ... We've tested this on an Windows 10/ Outlook 2016 and I have followed the link form sourceforge to here, so I assume this is the source code. Please excuse me if there has been forks of the sourceforge project and I'm posting this the wrong place. https://sourceforge.net/projects/outlookcaldavsynchronizer/

kerem commented 2026-02-25 20:31:00 +03:00

Author

Owner

Copy link

@evert commented on GitHub (Aug 11, 2016):

The problem here is that the client uses string matching to determine equivalence in urls. This is far to simplistic, and it probably means you have other bugs too.

You should normalize every URI before comparing it.

<!-- gh-comment-id:239089078 --> @evert commented on GitHub (Aug 11, 2016): The problem here is that the client uses string matching to determine equivalence in urls. This is far to simplistic, and it probably means you have other bugs too. You should normalize every URI before comparing it.

kerem commented 2026-02-25 20:31:00 +03:00

Author

Owner

Copy link

@peter-mogensen commented on GitHub (Aug 11, 2016):

I actually don't think this specific issue is about "comparison" in the client per se.
The final REPORT:calendar-multiget request which the client sends is semantically good enough... it's just that the client cannot blindly copy-paste URLs from the previous 207 answer from the server into the multiget request while at the same time keep using the same syntax in the Request-URI.

The client has to ensure in every request it makes containing URLs in the body that the same encoding is used in the elements as in the Request-URI.

<!-- gh-comment-id:239091514 --> @peter-mogensen commented on GitHub (Aug 11, 2016): I actually don't think this specific issue is about "comparison" in the client per se. The final REPORT:calendar-multiget request which the client sends is semantically good enough... it's just that the client cannot blindly copy-paste URLs from the previous 207 answer from the server into the multiget request while at the same time keep using the same syntax in the Request-URI. The client has to ensure in every request it makes containing URLs in the body that the _same_ encoding is used in the <href> elements as in the Request-URI.

kerem commented 2026-02-25 20:31:00 +03:00

Author

Owner

Copy link

@aluxnimm commented on GitHub (Aug 11, 2016):

Actually, we compare the unescaped uris to determine equivalence.
Since the C# Uri class had some issues we wrote a wrapper WebResourceName.cs

But need to investigate in detail what happens here and need to remember the issues we had with Owncloud, that was the main reason we changed that code.

<!-- gh-comment-id:239091984 --> @aluxnimm commented on GitHub (Aug 11, 2016): Actually, we compare the unescaped uris to determine equivalence. Since the C# Uri class had some issues we wrote a wrapper [WebResourceName.cs](https://github.com/aluxnimm/outlookcaldavsynchronizer/blob/master/CalDavSynchronizer/DataAccess/WebResourceName.cs) But need to investigate in detail what happens here and need to remember the issues we had with Owncloud, that was the main reason we changed that code.

kerem commented 2026-02-25 20:31:00 +03:00

Author

Owner

Copy link

@aluxnimm commented on GitHub (Aug 15, 2016):

Should be fixed in 2.4.0.

<!-- gh-comment-id:239947793 --> @aluxnimm commented on GitHub (Aug 15, 2016): Should be fixed in 2.4.0.

kerem commented 2026-02-25 20:31:00 +03:00

Author

Owner

Copy link

@rfc2822 commented on GitHub (Aug 16, 2016):

You should normalize every URI before comparing it.

I ran into the same problem and thought so, too. See https://github.com/square/okhttp/issues/1916 why this is not always a good idea (it especially hit me hard that GET https://github.com/square/%6fkhttp returns an error, while GET https://github.com/square/okhttp returns 200).

However, in WebDAV context, I think it's safe (and a better solution) to decode URL components before comparing them. For dav4android/DAVdroid, we use decoding for comparison, but access every resource with the same URL as sent by the server.

<!-- gh-comment-id:240114776 --> @rfc2822 commented on GitHub (Aug 16, 2016): > You should normalize every URI before comparing it. I ran into the same problem and thought so, too. See https://github.com/square/okhttp/issues/1916 why this is not always a good idea (it especially hit me hard that `GET https://github.com/square/%6fkhttp` returns an error, while `GET https://github.com/square/okhttp` returns 200). However, in WebDAV context, I think it's safe (and a better solution) to decode URL components before comparing them. For dav4android/DAVdroid, we use [decoding for comparison](https://gitlab.com/bitfireAT/dav4android/blob/master/src/main/java/at/bitfire/dav4android/UrlUtils.java#L10), but access every resource with the same URL as sent by the server.

kerem commented 2026-02-25 20:31:00 +03:00

Author

Owner

Copy link

@aluxnimm commented on GitHub (Aug 16, 2016):

yes we do exactly the same thing now, sounds reasonable.

<!-- gh-comment-id:240119823 --> @aluxnimm commented on GitHub (Aug 16, 2016): yes we do exactly the same thing now, sounds reasonable.

kerem commented 2026-02-25 20:31:00 +03:00

Author

Owner

Copy link

@evert commented on GitHub (Aug 16, 2016):

That would be my exact suggestion too. Don't rewrite urls, only normalize for comparing.
If it helps I can point you to the algorithm I wrote
On Aug 16, 2016 4:14 PM, rfc2822 notifications@github.com wrote:
You should normalize every URI before comparing it.

I ran into the same problem and thought so, too. See square/okhttp#1916 why this is not always a good idea (it especially hit me hard that GET https://github.com/square/%6fkhttp returns an error, while GET https://github.com/square/okhttp returns 200).

However, in WebDAV context, I think it's safe (and a better solution) to decode URL components before comparing them. For dav4android/DAVdroid, we use decoding for comparison, but access every resource with the same URL as sent by the server.

—You are receiving this because you commented.Reply to this email directly, view it on GitHub, or mute the thread.

<!-- gh-comment-id:240121419 --> @evert commented on GitHub (Aug 16, 2016): That would be my exact suggestion too. Don't rewrite urls, only normalize for comparing. If it helps I can point you to the algorithm I wrote On Aug 16, 2016 4:14 PM, rfc2822 notifications@github.com wrote: You should normalize every URI before comparing it. I ran into the same problem and thought so, too. See square/okhttp#1916 why this is not always a good idea (it especially hit me hard that GET https://github.com/square/%6fkhttp returns an error, while GET https://github.com/square/okhttp returns 200). However, in WebDAV context, I think it's safe (and a better solution) to decode URL components before comparing them. For dav4android/DAVdroid, we use decoding for comparison, but access every resource with the same URL as sent by the server. —You are receiving this because you commented.Reply to this email directly, view it on GitHub, or mute the thread.

kerem referenced this issue 2026-03-01 17:40:21 +03:00

[GH-ISSUE #148] Trouble synchronizing recurring events created for different timezones - Outlook 2013. #614

kerem referenced this issue 2026-03-14 00:01:25 +03:00

[GH-ISSUE #148] Trouble synchronizing recurring events created for different timezones - Outlook 2013. #1046

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

dependabot/nuget/CalDavSynchronizer.IntegrationTests/log4net-3.3.0

temp/RemoveInvalidXmlCharsStream

feature/switch_to_google_people_api

feature/localization

feature/Bulk-profile-creation

PierreMarieBaty-master

gh-pages

v4.6.0

v4.5.0

v4.4.1

v4.4.0

v4.3.0

v4.2.0

v4.1.0

v4.0.0

v3.8.2

v3.8.1

v3.8.0

v3.7.0

v3.6.2

v3.6.1

v3.6.0

v3.5.0

v3.4.0

v3.3.0

v3.2.1

v3.2.0

v3.1.1

v3.1.0

v3.0.0

v2.27.0

v2.26.0

v2.25.0

v2.24.0

v2.23.0

v2.22.2

v2.22.1

v2.22.0

v2.21.0

v2.19.2

v2.19.1

v2.19.0

v2.18.0

v2.17.0

v2.16.0

v2.15.1

v2.15.0

v2.14.1

v2.14.0

v2.13.0

v2.12.0

v2.11.0

v2.10.0

v2.9.1

v2.9.0

v2.8.2

v2.8.1

v2.8.0

v2.7.0

v2.6.1

v2.6.0

v2.5.1

v2.5.0

v2.4.0

v2.3.1

v2.3.0

v2.2.0

v2.1.3

v2.1.2

v2.1.1

v2.1.0

v2.0.2

v2.0.1

v2.0.0

v1.24.0

v1.23.0

v1.22.0

v1.21.0

v1.20.3

v1.20.0

v1.19.0

v1.18.0

v1.17.0

v1.16.0

v1.15.0

v1.14.2

v1.14.0

v1.13.2

v1.13.0

v1.12.0

v1.11.0

v1.10.0

v1.9.0

v1.8.0

v1.7.0

v1.6.0

v1.5.4

v1.5.3

v1.5.2

v1.5.1

v1.5.0

v1.4.5

v1.4.4

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.3.4

v1.3.3

v1.3.2

v1.3.1

v1.3.0

v1.2.2

v1.2.1

v1.2.0

v1.1.0

v1.0.3

v0.99.15

v0.99.14

v0.99.13

v0.99.12

v0.99.10

v0.99.9

v0.99.8

v0.99.7

v0.99.6

v0.99.5

Labels

Clear labels   

1.0

  

1.0

  

1.0

  

2.0

  

Feature

  

Feature request

  

Google

  

Google Calendar

  

async

  

attachement

  

auto-migrated

  

auto-migrated

  

auto-migrated

  

bug

  

critical

  

enhancement

  

help wanted

  

implemented

  

pull-request

Mirrored from GitHub Pull Request

  

solved

  

solved

  

sourceforge

  

sourceforge

  

sourceforge

No labels

1.0

1.0

1.0

2.0

Feature

Feature request

Google

Google Calendar

async

attachement

auto-migrated

auto-migrated

auto-migrated

bug

critical

enhancement

help wanted

implemented

pull-request

solved

solved

sourceforge

sourceforge

sourceforge

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/outlookcaldavsynchronizer#148

No description provided.