Page 1 of 1

DAV access denied since upgrade from 8.6 to 8.8.6 (@-sign Encoding error)

Posted: Mon Jan 29, 2018 2:28 pm
by janjan
Hello,

since upgrading Zimbra from 8.6 to 8.8.6 something with the dav access changed and we can no longer use the iOS App "2Do".
After the upgrade something goes wrong with the encoding of the @-Sign in the username which make the app unusable. The app itself was not updated and we already tried evry possible combination of the username and the @-Sign encoding.

Before the upgrade the request produced this log lines with no errors:

Code: Select all

mailbox.log.2018-01-10:2018-01-10 23:10:12,514 INFO  [qtp509886383-124052:http://<IPADDRESS>:8080/dav/<USER>@<DOMAIN>/Privat/] [aname=<USER>@<DOMAIN>;ip=<IPADDRESS>;ua=2Do/3.8;] dav - DavServlet operation PROPFIND to /home/<USER>@<DOMAIN>/Privat/ (depth: one) finished in 180ms
mailbox.log.2018-01-10:2018-01-10 23:10:12,782 INFO  [qtp509886383-124052:http://<IPADDRESS>:8080/dav/<USER>@<DOMAIN>/Privat/] [aname=<USER>@<DOMAIN>;ip=<IPADDRESS>;ua=2Do/3.8;] FileUploadServlet - saveUpload(): received Upload: { accountId=6eeca538-ee43-451c-bfd5-22a96aaa8200, time=Wed Jan 10 23:10:12 CET 2018, size=382, uploadId=5b2188a7-d11f-44d5-8b6f-eed23e18c194:b70fb888-c553-4186-94b9-f1a346608300, name=null, path=null }
mailbox.log.2018-01-10:2018-01-10 23:10:12,790 INFO  [qtp509886383-124052:http://<IPADDRESS>:8080/dav/<USER>@<DOMAIN>/Privat/] [name=<USER>@<DOMAIN>;aname=<USER>@<DOMAIN>;ip=<IPADDRESS>;ua=2Do/3.8;] dav - DavServlet operation REPORT to /home/<USER>@<DOMAIN>/Privat/ (depth: zero) finished in 8ms
mailbox.log.2018-01-10:2018-01-10 23:10:12,952 INFO  [qtp509886383-124071:http://<IPADDRESS>:8080/dav/<USER>@<DOMAIN>/Privat/b29bb10d5ffd407ca7b01f9e41d04b4b.ics] [aname=<USER>@<DOMAIN>;ip=<IPADDRESS>;ua=2Do/3.8;] FileUploadServlet - saveUpload(): received Upload: { accountId=6eeca538-ee43-451c-bfd5-22a96aaa8200, time=Wed Jan 10 23:10:12 CET 2018, size=1280, uploadId=5b2188a7-d11f-44d5-8b6f-eed23e18c194:f81fa178-8407-451f-9c7b-4fc9a2378772, name=null, path=null }


After the upgrade the user is not accepted anymore:

Code: Select all

2018-01-21 12:44:02,502 INFO  [qtp998351292-51921:http://<SERVERNAME>/principals/users/<USER>%2540<DOMAIN>/] [name=<USER>@<DOMAIN>;aname=<USER>@<DOMAIN>;ip=<IPADDRESS>;port=57748;ua=2Do/3.8;] dav - DavServlet operation PROPFIND to /principals/users/<USER>%40<DOMAIN>/ (depth: zero) finished in 7ms
2018-01-21 12:44:02,731 INFO  [qtp998351292-51913:http://<SERVERNAME>/dav/<USER>%2540<DOMAIN>/] [aname=<USER>@<DOMAIN>;ip=<IPADDRESS>;port=57752;ua=2Do/3.8;] FileUploadServlet - saveUpload(): received Upload: { accountId=6eeca538-ee43-451c-bfd5-22a96aaa8200, time=Sun Jan 21 12:44:02 CET 2018, size=423, uploadId=5b2188a7-d11f-44d5-8b6f-eed23e18c194:2efe693b-9017-488e-bd9d-a15a1b6ebf8f, name=null, path=null }
2018-01-21 12:44:02,740 INFO  [qtp998351292-51913:http://<SERVERNAME>/dav/<USER>%2540<DOMAIN>/] [aname=<USER>@<DOMAIN>;ip=<IPADDRESS>;port=57752;ua=2Do/3.8;] dav - Failing GET of mail item resource - no such account '<USER>%40<DOMAIN>' path '/'
2018-01-21 12:44:02,741 INFO  [qtp998351292-51913:http://<SERVERNAME>/dav/<USER>%2540<DOMAIN>/] [aname=<USER>@<DOMAIN>;ip=<IPADDRESS>;port=57752;ua=2Do/3.8;] dav - /home/<USER>%40<DOMAIN>/ not found
2018-01-21 12:44:02,741 INFO  [qtp998351292-51913:http://<SERVERNAME>/dav/<USER>%2540<DOMAIN>/] [aname=<USER>@<DOMAIN>;ip=<IPADDRESS>;port=57752;ua=2Do/3.8;] dav - sending http error 404 because: Request denied
2018-01-21 12:44:02,741 INFO  [qtp998351292-51913:http://<SERVERNAME>/dav/<USER>%2540<DOMAIN>/] [aname=<USER>@<DOMAIN>;ip=<IPADDRESS>;port=57752;ua=2Do/3.8;] dav - DavServlet operation PROPFIND to /home/<USER>%40<DOMAIN>/ (depth: one) finished in 10ms


Note that I had to replace all real data with dummy data (<USER>, <DOMAIN>, <IPADDRESS>, <SERVERNAME>).
I also noticed the port change but using the non-proxied port did not make any difference.

Re: DAV access denied since upgrade from 8.6 to 8.8.6 (@-sign Encoding error)

Posted: Mon Jan 29, 2018 3:37 pm
by msquadrat
I am able to access CalDAV from Lightning but that one does encode the @ sign as %40; other clients might not encode it at all.

This looks odd and like 2Go did double-URL-encode the @-sign: %2540 But with all the encoding happening some info might have been lost; could you have a look at the file nginx.access.log and post the corresponding line from there?

Re: DAV access denied since upgrade from 8.6 to 8.8.6 (@-sign Encoding error)

Posted: Wed Jan 31, 2018 11:43 am
by janjan
Hello,

here are the corresponding lines from acces.log:

Code: Select all

<IPADDRESS> - - [21/Jan/2018:10:12:44 +0000] "PROPFIND //<SERVERNAME>/service/dav/home HTTP/1.0" 207 465 "-" "2Do/3.8" 19
<IPADDRESS> - - [21/Jan/2018:10:12:44 +0000] "PROPFIND //<SERVERNAME>/service/dav/principals/users/<USER>%2540<DOMAIN>/ HTTP/1.0" 207 434 "-" "2Do/3.8" 22
<IPADDRESS> - - [21/Jan/2018:10:12:44 +0000] "PROPFIND //<SERVERNAME>/service/dav/home/<USER>%2540<DOMAIN>/ HTTP/1.0" 404 0 "-" "2Do/3.8" 22
<IPADDRESS> - - [21/Jan/2018:10:12:44 +0000] "PROPFIND //<SERVERNAME>/service/.well-known/caldav HTTP/1.0" 301 0 "-" "2Do/3.8" 1
<IPADDRESS> - - [21/Jan/2018:10:12:44 +0000] "PROPFIND //<SERVERNAME>/service/dav/home HTTP/1.0" 207 465 "-" "2Do/3.8" 21
<IPADDRESS> - - [21/Jan/2018:10:12:44 +0000] "PROPFIND //<SERVERNAME>/service/dav/principals/users/<USER>%2540<DOMAIN>/ HTTP/1.0" 207 434 "-" "2Do/3.8" 23


However, CalDav in general works. Some of our users use the native Calendar in Apple iOS which works great.

Re: DAV access denied since upgrade from 8.6 to 8.8.6 (@-sign Encoding error)

Posted: Wed Jan 31, 2018 1:06 pm
by msquadrat
This looks like a bug in the 2Do app. Notice the string "<USER>%2540<DOMAIN>". That %25 is an URL-encoded percent sign. So 2Do is requesting the calendar for the user "<USER>%40<DOMAIN>". What it probably wanted to request is the URL "<USER>%40<DOMAIN>" which would be, after URL-decoding "<USER>@<DOMAIN>".

All other CalDAV applications work since they either request the calendar as "<USER>%40<DOMAIN>" or plain "<USER>@<DOMAIN>". You should find some requests with their user agent in your log.

It is possible that Zimbra was a bit more lenient in previous versions and accidently did the right thing here. Or that Zimbra changed the way it returns the principal URL. There is a bug report about what Zimbra returns here from the DAVdroid author where (at least to my understanding) all involved parties agreed that Zimbra's behaviour is (was) fine. Ah, I found it, it is Bug 84857.

I'd get in touch with the 2Do app authors. It is still possible of course that this is a Zimbra issue but right now everything points in their direction.

Re: DAV access denied since upgrade from 8.6 to 8.8.6 (@-sign Encoding error)

Posted: Mon Feb 12, 2018 2:25 pm
by Gren Elliot
Zimbra is moving away from using unencoded @ signs in URLs because that causes problems for a number of clients. Looks like our moving away is now causing problems for another client :-(

Re: DAV access denied since upgrade from 8.6 to 8.8.6 (@-sign Encoding error)

Posted: Mon Feb 12, 2018 2:31 pm
by msquadrat
Hi Gren,

so something changed indeed für v8.8 (or already 8.7?), probably the response to the original request to find the available calendars now returns encoded ats? Do you happen to have a link to a bug or Git commit where this is discussed? The bug I linked before wasn't updated since 2015 unfortunately; last response was by a certain well known person :-)

Re: DAV access denied since upgrade from 8.6 to 8.8.6 (@-sign Encoding error)

Posted: Tue Feb 13, 2018 8:29 am
by janjan
I already submitted a support request at 2Do and they are investigating at the moment.

Re: DAV access denied since upgrade from 8.6 to 8.8.6 (@-sign Encoding error)

Posted: Fri Nov 16, 2018 11:23 am
by fakamaka
Hello.
I'm running 8.8.9 and after last update webcal is not working with Outlook any more.
Access denied.
With Ical is working well.
Any ideas?
Best regards. Pawel