WebDAV: Privilege with multiple child elements not handled properly
Used Version: 3.34.1
Description: I import my work calendar using CalDAV (hosted on MS Exchange, DavMail Gateway 5.4.0-3135) and it's set to read-only, so I can't create any appointments. I did some digging:
The relevant XML returned by the server to privilege request looks like this:
<?xml version="1.0" encoding="UTF-8" ?> <D:multistatus xmlns:D="DAV:" xmlns:C="urn:ietf:params:xml:ns:caldav" xmlns:E="urn:ietf:params:xml:ns:carddav"> <D:response> <D:href>/firstname.lastname@example.org/calendar/</D:href> <D:propstat> <D:prop> <D:current-user-privilege-set> <D:privilege> <D:read /> <D:write /> </D:privilege> </D:current-user-privilege-set> </D:prop> <D:status>HTTP/1.1 200 OK</D:status> </D:propstat> </D:response> </D:multistatus>
As you can see, the
D:write privilege is set within the same
D:privilege node which, to my understanding, is against the RFC3744 
I tracked down the source and it seems
evolution-data-server/src/libedataserver/e-webdav-session.c doesn't handle this situation well. It iterates over all privilege tags and calls
e_webdav_session_extract_privilege_simple which only returns the first privilege ignoring any following. However, Exchange's DavMail returns one privilege tag with several child nodes (see above).
I solved this issue using a simple workaround as attached in the diff,webdav-readonly-fix.diff by creating a new function (
e_webdav_session_extract_privilege_multi). However, it's pretty hacky, so please consider it mostly for demonstration purposes.