DAV access denied since upgrade from 8.6 to 8.8.6 (@-sign Encoding error)

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
janjan
Posts: 4
Joined: Tue Jan 23, 2018 10:40 am

DAV access denied since upgrade from 8.6 to 8.8.6 (@-sign Encoding error)

Post by janjan »

Hello,

since upgrading Zimbra from 8.6 to 8.8.6 something with the dav access changed and we can no longer use the iOS App "2Do".
After the upgrade something goes wrong with the encoding of the @-Sign in the username which make the app unusable. The app itself was not updated and we already tried evry possible combination of the username and the @-Sign encoding.

Before the upgrade the request produced this log lines with no errors:

Code: Select all

mailbox.log.2018-01-10:2018-01-10 23:10:12,514 INFO  [qtp509886383-124052:http://<IPADDRESS>:8080/dav/<USER>@<DOMAIN>/Privat/] [aname=<USER>@<DOMAIN>;ip=<IPADDRESS>;ua=2Do/3.8;] dav - DavServlet operation PROPFIND to /home/<USER>@<DOMAIN>/Privat/ (depth: one) finished in 180ms
mailbox.log.2018-01-10:2018-01-10 23:10:12,782 INFO  [qtp509886383-124052:http://<IPADDRESS>:8080/dav/<USER>@<DOMAIN>/Privat/] [aname=<USER>@<DOMAIN>;ip=<IPADDRESS>;ua=2Do/3.8;] FileUploadServlet - saveUpload(): received Upload: { accountId=6eeca538-ee43-451c-bfd5-22a96aaa8200, time=Wed Jan 10 23:10:12 CET 2018, size=382, uploadId=5b2188a7-d11f-44d5-8b6f-eed23e18c194:b70fb888-c553-4186-94b9-f1a346608300, name=null, path=null }
mailbox.log.2018-01-10:2018-01-10 23:10:12,790 INFO  [qtp509886383-124052:http://<IPADDRESS>:8080/dav/<USER>@<DOMAIN>/Privat/] [name=<USER>@<DOMAIN>;aname=<USER>@<DOMAIN>;ip=<IPADDRESS>;ua=2Do/3.8;] dav - DavServlet operation REPORT to /home/<USER>@<DOMAIN>/Privat/ (depth: zero) finished in 8ms
mailbox.log.2018-01-10:2018-01-10 23:10:12,952 INFO  [qtp509886383-124071:http://<IPADDRESS>:8080/dav/<USER>@<DOMAIN>/Privat/b29bb10d5ffd407ca7b01f9e41d04b4b.ics] [aname=<USER>@<DOMAIN>;ip=<IPADDRESS>;ua=2Do/3.8;] FileUploadServlet - saveUpload(): received Upload: { accountId=6eeca538-ee43-451c-bfd5-22a96aaa8200, time=Wed Jan 10 23:10:12 CET 2018, size=1280, uploadId=5b2188a7-d11f-44d5-8b6f-eed23e18c194:f81fa178-8407-451f-9c7b-4fc9a2378772, name=null, path=null }
After the upgrade the user is not accepted anymore:

Code: Select all

2018-01-21 12:44:02,502 INFO  [qtp998351292-51921:http://<SERVERNAME>/principals/users/<USER>%2540<DOMAIN>/] [name=<USER>@<DOMAIN>;aname=<USER>@<DOMAIN>;ip=<IPADDRESS>;port=57748;ua=2Do/3.8;] dav - DavServlet operation PROPFIND to /principals/users/<USER>%40<DOMAIN>/ (depth: zero) finished in 7ms
2018-01-21 12:44:02,731 INFO  [qtp998351292-51913:http://<SERVERNAME>/dav/<USER>%2540<DOMAIN>/] [aname=<USER>@<DOMAIN>;ip=<IPADDRESS>;port=57752;ua=2Do/3.8;] FileUploadServlet - saveUpload(): received Upload: { accountId=6eeca538-ee43-451c-bfd5-22a96aaa8200, time=Sun Jan 21 12:44:02 CET 2018, size=423, uploadId=5b2188a7-d11f-44d5-8b6f-eed23e18c194:2efe693b-9017-488e-bd9d-a15a1b6ebf8f, name=null, path=null }
2018-01-21 12:44:02,740 INFO  [qtp998351292-51913:http://<SERVERNAME>/dav/<USER>%2540<DOMAIN>/] [aname=<USER>@<DOMAIN>;ip=<IPADDRESS>;port=57752;ua=2Do/3.8;] dav - Failing GET of mail item resource - no such account '<USER>%40<DOMAIN>' path '/'
2018-01-21 12:44:02,741 INFO  [qtp998351292-51913:http://<SERVERNAME>/dav/<USER>%2540<DOMAIN>/] [aname=<USER>@<DOMAIN>;ip=<IPADDRESS>;port=57752;ua=2Do/3.8;] dav - /home/<USER>%40<DOMAIN>/ not found
2018-01-21 12:44:02,741 INFO  [qtp998351292-51913:http://<SERVERNAME>/dav/<USER>%2540<DOMAIN>/] [aname=<USER>@<DOMAIN>;ip=<IPADDRESS>;port=57752;ua=2Do/3.8;] dav - sending http error 404 because: Request denied
2018-01-21 12:44:02,741 INFO  [qtp998351292-51913:http://<SERVERNAME>/dav/<USER>%2540<DOMAIN>/] [aname=<USER>@<DOMAIN>;ip=<IPADDRESS>;port=57752;ua=2Do/3.8;] dav - DavServlet operation PROPFIND to /home/<USER>%40<DOMAIN>/ (depth: one) finished in 10ms
Note that I had to replace all real data with dummy data (<USER>, <DOMAIN>, <IPADDRESS>, <SERVERNAME>).
I also noticed the port change but using the non-proxied port did not make any difference.
User avatar
msquadrat
Advanced member
Advanced member
Posts: 183
Joined: Mon Oct 14, 2013 10:09 am

Re: DAV access denied since upgrade from 8.6 to 8.8.6 (@-sign Encoding error)

Post by msquadrat »

I am able to access CalDAV from Lightning but that one does encode the @ sign as %40; other clients might not encode it at all.

This looks odd and like 2Go did double-URL-encode the @-sign: %2540 But with all the encoding happening some info might have been lost; could you have a look at the file nginx.access.log and post the corresponding line from there?
janjan
Posts: 4
Joined: Tue Jan 23, 2018 10:40 am

Re: DAV access denied since upgrade from 8.6 to 8.8.6 (@-sign Encoding error)

Post by janjan »

Hello,

here are the corresponding lines from acces.log:

Code: Select all

<IPADDRESS> - - [21/Jan/2018:10:12:44 +0000] "PROPFIND //<SERVERNAME>/service/dav/home HTTP/1.0" 207 465 "-" "2Do/3.8" 19
<IPADDRESS> - - [21/Jan/2018:10:12:44 +0000] "PROPFIND //<SERVERNAME>/service/dav/principals/users/<USER>%2540<DOMAIN>/ HTTP/1.0" 207 434 "-" "2Do/3.8" 22
<IPADDRESS> - - [21/Jan/2018:10:12:44 +0000] "PROPFIND //<SERVERNAME>/service/dav/home/<USER>%2540<DOMAIN>/ HTTP/1.0" 404 0 "-" "2Do/3.8" 22
<IPADDRESS> - - [21/Jan/2018:10:12:44 +0000] "PROPFIND //<SERVERNAME>/service/.well-known/caldav HTTP/1.0" 301 0 "-" "2Do/3.8" 1
<IPADDRESS> - - [21/Jan/2018:10:12:44 +0000] "PROPFIND //<SERVERNAME>/service/dav/home HTTP/1.0" 207 465 "-" "2Do/3.8" 21
<IPADDRESS> - - [21/Jan/2018:10:12:44 +0000] "PROPFIND //<SERVERNAME>/service/dav/principals/users/<USER>%2540<DOMAIN>/ HTTP/1.0" 207 434 "-" "2Do/3.8" 23
However, CalDav in general works. Some of our users use the native Calendar in Apple iOS which works great.
User avatar
msquadrat
Advanced member
Advanced member
Posts: 183
Joined: Mon Oct 14, 2013 10:09 am

Re: DAV access denied since upgrade from 8.6 to 8.8.6 (@-sign Encoding error)

Post by msquadrat »

This looks like a bug in the 2Do app. Notice the string "<USER>%2540<DOMAIN>". That %25 is an URL-encoded percent sign. So 2Do is requesting the calendar for the user "<USER>%40<DOMAIN>". What it probably wanted to request is the URL "<USER>%40<DOMAIN>" which would be, after URL-decoding "<USER>@<DOMAIN>".

All other CalDAV applications work since they either request the calendar as "<USER>%40<DOMAIN>" or plain "<USER>@<DOMAIN>". You should find some requests with their user agent in your log.

It is possible that Zimbra was a bit more lenient in previous versions and accidently did the right thing here. Or that Zimbra changed the way it returns the principal URL. There is a bug report about what Zimbra returns here from the DAVdroid author where (at least to my understanding) all involved parties agreed that Zimbra's behaviour is (was) fine. Ah, I found it, it is [bug]84857[/bug].

I'd get in touch with the 2Do app authors. It is still possible of course that this is a Zimbra issue but right now everything points in their direction.
User avatar
Gren Elliot
Advanced member
Advanced member
Posts: 183
Joined: Tue Jun 10, 2014 4:45 am

Re: DAV access denied since upgrade from 8.6 to 8.8.6 (@-sign Encoding error)

Post by Gren Elliot »

Zimbra is moving away from using unencoded @ signs in URLs because that causes problems for a number of clients. Looks like our moving away is now causing problems for another client :-(
User avatar
msquadrat
Advanced member
Advanced member
Posts: 183
Joined: Mon Oct 14, 2013 10:09 am

Re: DAV access denied since upgrade from 8.6 to 8.8.6 (@-sign Encoding error)

Post by msquadrat »

Hi Gren,

so something changed indeed für v8.8 (or already 8.7?), probably the response to the original request to find the available calendars now returns encoded ats? Do you happen to have a link to a bug or Git commit where this is discussed? The bug I linked before wasn't updated since 2015 unfortunately; last response was by a certain well known person :-)
janjan
Posts: 4
Joined: Tue Jan 23, 2018 10:40 am

Re: DAV access denied since upgrade from 8.6 to 8.8.6 (@-sign Encoding error)

Post by janjan »

I already submitted a support request at 2Do and they are investigating at the moment.
fakamaka
Posts: 4
Joined: Tue Jan 24, 2017 11:52 pm

Re: DAV access denied since upgrade from 8.6 to 8.8.6 (@-sign Encoding error)

Post by fakamaka »

Hello.
I'm running 8.8.9 and after last update webcal is not working with Outlook any more.
Access denied.
With Ical is working well.
Any ideas?
Best regards. Pawel
Post Reply