[Owncloud] webdav fixes (Nokia N9 double encodes @ in caldav urls)

Evert Pot evert at rooftopsolutions.nl
Sat Jan 5 20:34:27 UTC 2013 

On Jan 5, 2013, at 3:11 PM, Ed W <lists at wildgooses.com> wrote:

> 
>> I'm actually not an owncloud dev; I'm the sabredav maintainer... If any issues surface though, I'm happy to apply any fixes to 1.6.x; It should be pretty much painless to update to a new version in the 1.6 range.
>> 
> 
> Could you chew over this hack...
> 
> --- 3rdparty/Sabre/DAV/URLUtil.php.orig    2012-12-10 15:50:05.759930750 +0000
> +++ 3rdparty/Sabre/DAV/URLUtil.php    2012-12-24 15:02:46.407943525 +0000
> @@ -75,6 +75,9 @@
>      */
>     static function decodePathSegment($path) {
> 
> +    # N9 double encodes urls. Gingerly workaround probable such urls
> +    $path = str_replace('%2540', '%40', $path);
> +
>         $path = rawurldecode($path);
>         $encoding = mb_detect_encoding($path, array('UTF-8','ISO-8859-1'));
> 
> 
> 
> Basically my login tokens are email addresses, the N9 initially uses a correct escaped version, but then it seems to get back the list of calendars with hrefs (correctly?) escaped, it then double encodes these urls and requests each calendar (which obviously fails)
> 
> Double decoding is clearly dangerous, so I have limited it to this one specific value.  It's definitely a hack and seems to affect only a small number of devices (Nokia N9 only?).
> 
> Any thoughts on a better solution?

Yea I do actually think this is a pretty bad idea. The result is that urls that are expected to have the pattern %2540 will now also become %40.

For caldav/carddav this is not a very big deal, because the urls tend to be not that crazy, but this fix will also apply to fileserving, where you really need to make a strong effort to retain the exact input. You don't want serious stuff to corrupt.

But since the issue is just in email addresses, I think I would hack the principalbackends instead.
When a path is requested that contains an email address, like :

/calendars/user at example.org/

Make sure that the system that looks up 'user at example.org' can also deal with a urlencoded version of this.

Evert

More information about the Owncloud mailing list