[GH-ISSUE #442] Incorrect "If-Match" header can lead to data loss #426

New issue

Open

opened 2026-02-25 20:31:36 +03:00 by kerem · 0 comments

kerem commented

2026-02-25 20:31:36 +03:00

Owner

Originally created by @lbuchs on GitHub (Jan 16, 2025).
Original GitHub issue: https://github.com/aluxnimm/outlookcaldavsynchronizer/issues/442

Outlook CalDav Synchronizer does not send the correct "If-Match" Header with a PUT request when modify a entry.

Steps to reproduce:

Load a Event from server, server responses with ETag "11111".
Edit the event on the server side. the new ETag on the server is "22222".
Edit the event in outlook, then sync.

Now the CalDav Synchronizer does:

1.) A REPORT request to the calendar:

<?xml version="1.0"?>
<C:calendar-query xmlns:C="urn:ietf:params:xml:ns:caldav">
    <D:prop xmlns:D="DAV:">
        <D:getetag/>
    </D:prop>
    <C:filter>
        <C:comp-filter name="VCALENDAR">
            <C:comp-filter name="VEVENT">
                <C:time-range start="20241117T000000Z" end="20260117T000000Z"/>
            </C:comp-filter>
        </C:comp-filter>
    </C:filter>
</C:calendar-query>

2.) The server responses with the e-tag <d:getetag>"22222"</d:getetag>

3.) CalDav Synchronizer does a REPORT to get the new event data,

<?xml version="1.0"?>
<C:calendar-multiget xmlns:C="urn:ietf:params:xml:ns:caldav" xmlns:D="DAV:">
    <D:prop>
        <D:getetag/>
        <D:displayname/>
        <C:calendar-data/>
    </D:prop>
    <D:href>/address/to/my/card.ics</D:href>
</C:calendar-multiget>

4.) CalDav Synchronizer does a PUT request to send the modified card (which is based on ETag "1111") to the Server. But in the header it uses the ETag fetched before: If-Match: "22222"

PUT /address/to/my/card.ics
If-Match: "22222"

BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//ddaysoftware.com//NONSGML DDay.iCal 1.0//EN
BEGIN:VTIMEZONE
[... more ...]

5.) The Server should respond with 412 Precondition Failed because because the provided card is based on ETag "11111" , but it gets overwritten with the changes of ETag "22222" lost.

possible solution

When syncing, PUT requests should be made before fetching new data from the server.

Originally created by @lbuchs on GitHub (Jan 16, 2025). Original GitHub issue: https://github.com/aluxnimm/outlookcaldavsynchronizer/issues/442 Outlook CalDav Synchronizer does not send the correct "If-Match" Header with a PUT request when modify a entry. ## Steps to reproduce: 1. Load a Event from server, server responses with ETag "11111". 2. Edit the event on the server side. the new ETag on the server is "22222". 3. Edit the event in outlook, then sync. Now the CalDav Synchronizer does: 1.) A `REPORT` request to the calendar: ```XML <?xml version="1.0"?> <C:calendar-query xmlns:C="urn:ietf:params:xml:ns:caldav"> <D:prop xmlns:D="DAV:"> <D:getetag/> </D:prop> <C:filter> <C:comp-filter name="VCALENDAR"> <C:comp-filter name="VEVENT"> <C:time-range start="20241117T000000Z" end="20260117T000000Z"/> </C:comp-filter> </C:comp-filter> </C:filter> </C:calendar-query> ``` 2.) The server responses with the e-tag `<d:getetag>"22222"</d:getetag>` 3.) CalDav Synchronizer does a `REPORT` to get the new event data, ```XML <?xml version="1.0"?> <C:calendar-multiget xmlns:C="urn:ietf:params:xml:ns:caldav" xmlns:D="DAV:"> <D:prop> <D:getetag/> <D:displayname/> <C:calendar-data/> </D:prop> <D:href>/address/to/my/card.ics</D:href> </C:calendar-multiget> ``` 4.) CalDav Synchronizer does a `PUT` request to send the modified card (which is based on ETag "1111") to the Server. But in the header it uses the ETag fetched before: `If-Match: "22222"` ``` PUT /address/to/my/card.ics If-Match: "22222" BEGIN:VCALENDAR VERSION:2.0 PRODID:-//ddaysoftware.com//NONSGML DDay.iCal 1.0//EN BEGIN:VTIMEZONE [... more ...] ``` 5.) The Server should respond with `412 Precondition Failed` because because the provided card is based on ETag `"11111"` , but it gets overwritten with the changes of ETag `"22222"` lost. ## possible solution When syncing, `PUT` requests should be made before fetching new data from the server.