[CalDAV] Nextcloud returns HTTP 500 instead of 403 when POSTing an event without valid instances

[rfc2822]

Steps to reproduce

Upload a recurring CalDAV event that does not contain any valid instances. For instance, that could be daily event with 3 instances (RRULE:FREQ=DAILY;COUNT=5) where all three instances are excluded by EXDATE:

$ cat 1.ics 
BEGIN:VCALENDAR
VERSION:2.0
PRODID:DAVx5/4.1 ical4j/3.1.1
BEGIN:VEVENT
DTSTAMP:20220106T192417Z
UID:188ffa89-91d7-4efd-aa3e-87e83b037901
SEQUENCE:3
SUMMARY:Test
DTSTART;TZID=Europe/Vienna:20220105T150000
DTEND;TZID=Europe/Vienna:20220105T160000
RRULE:FREQ=DAILY;WKST=SU;COUNT=2;INTERVAL=1
EXDATE;TZID=Europe/Vienna:20220106T150000
EXDATE;TZID=Europe/Vienna:20220105T150000
CLASS:PUBLIC
END:VEVENT
END:VCALENDAR

$ curl -inT 1.ics https://cloud.bitfire.at/remote.php/dav/calendars/test/79/188ffa89-91d7-4efd-aa3e-87e83b037901.ics
HTTP/2 500 
[…]

<?xml version="1.0" encoding="utf-8"?>
<d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns">
  <s:exception>Sabre\VObject\Recur\NoInstancesException</s:exception>
  <s:message>This recurrence rule does not generate any valid instances</s:message>
</d:error>

Expected behaviour

If the server rejects an event because it's invalid, it should return a semantic HTTP error instead of 500 Internal server error, which would indicate the problem is on the server side.

As far as I can see, HTTP 403 with (CALDAV:valid-calendar-object-resource) would be the most appropriate (but maybe there's something better).

Actual behaviour

Nextcloud returns 500 Internal server error.

Server configuration

Operating system: Linux

Web server: nginx

Database: MySQL

PHP version: 8.0

Nextcloud version: 23.0.0

List of activated apps:

App list

Enabled:
  - accessibility: 1.9.0
  - activity: 2.15.0
  - calendar: 3.0.4
  - circles: 23.0.0
  - cloud_federation_api: 1.6.0
  - comments: 1.13.0
  - contacts: 4.0.7
  - contactsinteraction: 1.4.0
  - dashboard: 7.3.0
  - dav: 1.21.0
  - federatedfilesharing: 1.13.0
  - files: 1.18.0
  - files_rightclick: 1.2.0
  - files_sharing: 1.15.0
  - files_trashbin: 1.13.0
  - files_versions: 1.16.0
  - files_videoplayer: 1.12.0
  - firstrunwizard: 2.12.0
  - impersonate: 1.10.0
  - integration_twitter: 1.0.2
  - logreader: 2.8.0
  - lookup_server_connector: 1.11.0
  - mail: 1.11.5
  - nextcloud_announcements: 1.12.0
  - notifications: 2.11.1
  - oauth2: 1.11.0
  - password_policy: 1.13.0
  - photos: 1.5.0
  - privacy: 1.7.0
  - provisioning_api: 1.13.0
  - serverinfo: 1.13.0
  - settings: 1.5.0
  - sharebymail: 1.13.0
  - sociallogin: 4.9.7
  - spreed: 13.0.1
  - support: 1.6.0
  - survey_client: 1.11.0
  - talk_matterbridge: 1.23.2
  - tasks: 0.14.2
  - text: 3.4.0
  - theming: 1.14.0
  - twofactor_backupcodes: 1.12.0
  - updatenotification: 1.13.0
  - user_status: 1.3.1
  - viewer: 1.7.0
  - weather_status: 1.3.0
  - workflowengine: 2.5.0
Disabled:
  - admin_audit
  - duplicatefinder
  - encryption
  - federation
  - files_external
  - files_pdfviewer
  - recommendations
  - systemtags
  - user_ldap

Nextcloud configuration:

Config report

{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "***REMOVED SENSITIVE VALUE***"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "overwrite.cli.url": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "23.0.0.10",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "default_phone_region": "AT",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpmode": "sendmail",
        "mail_smtpauthtype": "LOGIN",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mysql.utf8mb4": true,
        "mail_sendmailmode": "smtp",
        "updater.release.channel": "stable",
        "activity_expire_days": 14,
        "filelocking.enabled": true,
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "memcache.local": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": -1,
            "password": "***REMOVED SENSITIVE VALUE***"
        },
        "maintenance": false,
        "theme": "",
        "loglevel": 2
    }
}

Are you using external storage, if yes which one: no

Are you using encryption: no

Are you using an external user-backend, if yes which one: no

Logs

Nextcloud log (data/nextcloud.log)

Nextcloud log

…
{"reqId":"wB6m5behGQYI0jXRHywf","level":4,"time":"2022-01-06T19:27:29+00:00","remoteAddr":"xxxxxxxxxxx","user":"test","app":"webdav","method":"PUT","url":"/remote.php/dav/calendars/test/79/188ffa89-91d7-4efd-aa3e-87e83b037901.ics","message":"This recurrence rule does not generate any valid instances","userAgent":"curl/7.74.0","version":"23.0.0.10","exception":{"Exception":"Sabre\\VObject\\Recur\\NoInstancesException","Message":"This recurrence rule does not generate any valid instances","Code":0,"Trace":[{"file":"/nextcloud/apps/dav/lib/CalDAV/CalDavBackend.php","line":2761,"function":"__construct","class":"Sabre\\VObject\\Recur\\EventIterator","type":"->"},{"file":"/nextcloud/apps/dav/lib/CalDAV/CalDavBackend.php","line":1355,"function":"getDenormalizedData","class":"OCA\\DAV\\CalDAV\\CalDavBackend","type":"->"},{"file":"/nextcloud/3rdparty/sabre/dav/lib/CalDAV/CalendarObject.php","line":103,"function":"updateCalendarObject","class":"OCA\\DAV\\CalDAV\\CalDavBackend","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":1137,"function":"put","class":"Sabre\\CalDAV\\CalendarObject","type":"->"},{"file":"/nextcloud/3rdparty/sabre/dav/lib/DAV/CorePlugin.php","line":492,"function":"updateFile","class":"Sabre\\DAV\\Server","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/nextcloud/3rdparty/sabre/event/lib/WildcardEmitterTrait.php","line":89,"function":"httpPut","class":"Sabre\\DAV\\CorePlugin","type":"->"},{"file":"/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":472,"function":"emit","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":253,"function":"invokeMethod","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":321,"function":"start","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/nextcloud/apps/dav/lib/Server.php","line":339,"function":"exec","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/nextcloud/apps/dav/appinfo/v2/remote.php","line":35,"function":"exec","class":"OCA\\DAV\\Server","type":"->"},{"file":"/nextcloud/remote.php","line":166,"args":["/nextcloud/apps/dav/appinfo/v2/remote.php"],"function":"require_once"}],"File":"/nextcloud/3rdparty/sabre/vobject/lib/Recur/EventIterator.php","Line":192,"CustomMessage":"--"}}

[szaimen]

Hi, please update to 24.0.9 or better 25.0.3 and report back if it fixes the issue. Thank you!

My goal is to add a label like e.g. 25-feedback to this ticket of an up-to-date major Nextcloud version where the bug could be reproduced. However this is not going to work without your help. So thanks for all your effort!

If you don't manage to reproduce the issue in time and the issue gets closed but you can reproduce the issue afterwards, feel free to create a new bug report with up-to-date information by following this link: https://github.com/nextcloud/server/issues/new?assignees=&labels=bug%2C0.+Needs+triage&template=BUG_REPORT.yml&title=%5BBug%5D%3A+

[ArnyminerZ]

Can confirm the issue is still here on 25.0.3. With the same .ics as @rfc2822. Running

curl -inT 1.ics -H "Authorization: Basic xxx" https://cloud.bitfire.at/remote.php/dav/calendars/test/79/188ffa89-91d7-4efd-aa3e-87e83b037901.ics

Nextcloud returns:

HTTP/2 500 
server: nginx/1.18.0 (Ubuntu)
date: Mon, 23 Jan 2023 14:40:22 GMT
content-type: application/xml; charset=utf-8
[...]
content-security-policy: default-src 'none';
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
[...]
referrer-policy: no-referrer
x-content-type-options: nosniff
x-download-options: noopen
x-frame-options: SAMEORIGIN
x-permitted-cross-domain-policies: none
x-robots-tag: none
x-xss-protection: 1; mode=block

<?xml version="1.0" encoding="utf-8"?>
<d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns">
  <s:exception>Sabre\VObject\Recur\NoInstancesException</s:exception>
  <s:message>This recurrence rule does not generate any valid instances</s:message>
</d:error>

[SebastianKrupinski]

Confirmed.

Error is being generated in the Sabre\VObject\Recur\EventIterator line 192. When called from OCA\DAV\CalDAV\CalDavBackend->getDenormalizedData() line 2990.

Possible solutions...

1. Update SabreDav repository
2. Capture exception and throw a new exception.

[nagmat84]

The error has quite an impact on Android clients with DAVx5. If the user (somehow) manages to create an invalid CalDAV event on Android, then it enters the upload cache of DAVx5. As the server responds with error code 500, which indicates a server-side error, DAVx5 keeps the entry in its cache and repeatedly tries to upload the same broken CalDAV entry again later on. This effectively prevents DAVx5 from syncing any other events.

This also seems to affect other clients: see #5641 (comment).

However, as it is the entry sent by the client, the NC must respond with a 4xx error to inform the DAVx5 client that the entry is broken.

While it is expected behavior of the server to reject the broken event, it must do so with a 4xx response.