WebDAV: Privilege with multiple child elements not handled properly
Used Version: 3.34.1
Description: I import my work calendar using CalDAV (hosted on MS Exchange, DavMail Gateway 5.4.0-3135) and it's set to read-only, so I can't create any appointments. I did some digging:
The relevant XML returned by the server to privilege request looks like this:
<?xml version="1.0" encoding="UTF-8" ?>
<D:multistatus xmlns:D="DAV:" xmlns:C="urn:ietf:params:xml:ns:caldav" xmlns:E="urn:ietf:params:xml:ns:carddav">
<D:response>
<D:href>/users/peter.krauss@kit.edu/calendar/</D:href>
<D:propstat>
<D:prop>
<D:current-user-privilege-set>
<D:privilege>
<D:read />
<D:write />
</D:privilege>
</D:current-user-privilege-set>
</D:prop>
<D:status>HTTP/1.1 200 OK</D:status>
</D:propstat>
</D:response>
</D:multistatus>
As you can see, the D:read
and D:write
privilege is set within the same D:privilege
node which, to my understanding, is against the RFC3744 [1]
Fix:
I tracked down the source and it seems e_webdav_session_current_user_privilege_set_cb
in evolution-data-server/src/libedataserver/e-webdav-session.c
doesn't handle this situation well. It iterates over all privilege tags and calls e_webdav_session_extract_privilege_simple
which only returns the first privilege ignoring any following. However, Exchange's DavMail returns one privilege tag with several child nodes (see above).
I solved this issue using a simple workaround as attached in the diff,webdav-readonly-fix.diff by creating a new function (e_webdav_session_extract_privilege_multi
). However, it's pretty hacky, so please consider it mostly for demonstration purposes.