0005954: CardDAV addressbook-query report does not evaluate prop-filter test for (non-)existence of a property - SOGo

ID	Project	Category	View Status	Date Submitted	Last Update

0005954	SOGo	Backend Address Book	public	2024-04-15 18:33	2024-04-15 18:39

Reporter	mstilkerich	Assigned To
Priority	normal	Severity	minor	Reproducibility	always
Status	new	Resolution	open
Platform	Server	OS	Debian	OS Version	11
Product Version	5.10.0

Summary	0005954: CardDAV addressbook-query report does not evaluate prop-filter test for (non-)existence of a property
Description	The CardDAV addressbook-query report supports searching for vcards that have (or do not have) a given property, independent of its value. SOGo appears to ignore such prop-filter elements and instead returns all cards.
Steps To Reproduce	Here is a trace of the request (Authorization header stripped). The request asks for all vcards containing an EMAIL property. The answer contains the entire addressbook (it is from a test suite and the addressbook only has these four cards), the first card in the answer is not expected. [2024-03-31 08:16:38]: [2 NFO] "REPORT /SOGo/dav/mikey@dev.mike2k.de/Contacts/personal/ HTTP/1.1" 207 REPORT /SOGo/dav/mikey@dev.mike2k.de/Contacts/personal/ HTTP/1.1^M Content-Length: 353^M User-Agent: GuzzleHttp/7^M Host: etain.mike2k.de^M Depth: 1^M Content-Type: application/xml; charset=UTF-8^M ^M <?xml version="1.0"?> <CARDDAV:addressbook-query xmlns:DAV="DAV:" xmlns:CARDDAV="urn:ietf:params:xml:ns:carddav" xmlns:CS="http://calendarserver.org/ns/"> <DAV:prop> <DAV:getetag/> <CARDDAV:address-data/> </DAV:prop> <CARDDAV:filter test="anyof"> <CARDDAV:prop-filter name="EMAIL" test="anyof"/> </CARDDAV:filter> </CARDDAV:addressbook-query> <<<<<<<< HTTP/1.1 207 Multi-Status^M Server: nginx^M Date: Sun, 31 Mar 2024 08:16:38 GMT^M Content-Type: text/xml; charset=utf-8^M Content-Length: 2501^M Connection: keep-alive^M Cache-Control: no-cache^M Pragma: no-cache^M X-Frame-Options: SAMEORIGIN^M ^M <?xml version="1.0" encoding="utf-8"?>^M <D:multistatus xmlns:D="DAV:" xmlns:C="urn:ietf:params:xml:ns:carddav"><D:response><D:href>/SOGo/dav/mikey@dev.mike2k.de/Contacts/personal/sabre-vobject-38f17a20-2ac8-4a90-ab13-2ef2241c62f2.vcf</D:href><D:propstat><D:prop><D:getetag>"gcs00000000"</D:getetag><C:address-data>BEGIN:VCARD^M VERSION:3.0^M PRODID:-//Sabre//Sabre VObject 4.5.4//EN^M UID:sabre-vobject-38f17a20-2ac8-4a90-ab13-2ef2241c62f2^M FN:CardDavClient Test1700898322^M N:Test1700898322;CardDavClient^M NICKNAME:Jonny2^M TEL;TYPE=HOME:12345^M TEL:555^M END:VCARD</C:address-data></D:prop><D:status>HTTP/1.1 200 OK</D:status></D:propstat></D:response><D:response><D:href>/SOGo/dav/mikey@dev.mike2k.de/Contacts/personal/sabre-vobject-975454eb-5dd0-4c4d-9fb3-75fb0da13373.vcf</D:href><D:propstat><D:prop><D:getetag>"gcs00000000"</D:getetag><C:address-data>BEGIN:VCARD^M VERSION:3.0^M PRODID:-//Sabre//Sabre VObject 4.5.4//EN^M UID:sabre-vobject-975454eb-5dd0-4c4d-9fb3-75fb0da13373^M FN:CardDavClient Test1805300705^M N:Test1805300705;CardDavClient^M NICKNAME:Jonny0^M EMAIL;TYPE=WORK:doe@big.corp^M EMAIL;TYPE=HOME:johndoe@example.com^M X-CUSTOMPROP;X-CUSTOMPARAM=WORK:foobar^M END:VCARD</C:address-data></D:prop><D:status>HTTP/1.1 200 OK</D:status></D:propstat></D:response><D:response><D:href>/SOGo/dav/mikey@dev.mike2k.de/Contacts/personal/sabre-vobject-25d5dbc1-b44a-402d-a686-87c961eb0e3d.vcf</D:href><D:propstat><D:prop><D:getetag>"gcs00000000"</D:getetag><C:address-data>BEGIN:VCARD^M VERSION:3.0^M PRODID:-//Sabre//Sabre VObject 4.5.4//EN^M UID:sabre-vobject-25d5dbc1-b44a-402d-a686-87c961eb0e3d^M FN:CardDavClient Test574553324^M N:Test574553324;CardDavClient^M NICKNAME:Jonny1^M EMAIL:maxmu@abcd.com^M X-CUSTOMPROP;X-SPACEPARAM="HELLO, WORLD";X-CUSTOMPARAM=HOME,WORK:foobar^M END:VCARD</C:address-data></D:prop><D:status>HTTP/1.1 200 OK</D:status></D:propstat></D:response><D:response><D:href>/SOGo/dav/mikey@dev.mike2k.de/Contacts/personal/sabre-vobject-2ff7b2e2-4f0b-4a7d-8eb3-52ed6e758df2.vcf</D:href><D:propstat><D:prop><D:getetag>"gcs00000000"</D:getetag><C:address-data>BEGIN:VCARD^M VERSION:3.0^M PRODID:-//Sabre//Sabre VObject 4.5.4//EN^M UID:sabre-vobject-2ff7b2e2-4f0b-4a7d-8eb3-52ed6e758df2^M FN:CardDavClient Test766095793^M N:Test766095793;CardDavClient^M NICKNAME:Jonny3^M ITEM1.EMAIL:foo@ex.com^M ITEM1.X-ABLABEL:CustomLabel^M IMPP;TYPE=HOME;X-SERVICE-TYPE=Jabber:xmpp:foo@example.com^M END:VCARD</C:address-data></D:prop><D:status>HTTP/1.1 200 OK</D:status></D:propstat></D:response></D:multistatus> NULL Second test which queries cards NOT having an EMAIL property also returns the entire addressbook: [2024-04-15 18:30:57]: [2 NFO] "REPORT /SOGo/dav/mikey@dev.mike2k.de/Contacts/personal/ HTTP/1.1" 207 REPORT /SOGo/dav/mikey@dev.mike2k.de/Contacts/personal/ HTTP/1.1^M Content-Length: 406^M User-Agent: GuzzleHttp/7^M Host: etain.mike2k.de^M Depth: 1^M Content-Type: application/xml; charset=UTF-8^M ^M <?xml version="1.0"?> <CARDDAV:addressbook-query xmlns:DAV="DAV:" xmlns:CARDDAV="urn:ietf:params:xml:ns:carddav" xmlns:CS="http://calendarserver.org/ns/"> <DAV:prop> <DAV:getetag/> <CARDDAV:address-data/> </DAV:prop> <CARDDAV:filter test="anyof"> <CARDDAV:prop-filter name="EMAIL" test="anyof"> <CARDDAV:is-not-defined/> </CARDDAV:prop-filter> </CARDDAV:filter> </CARDDAV:addressbook-query> <<<<<<<< HTTP/1.1 207 Multi-Status^M Server: nginx^M Date: Mon, 15 Apr 2024 18:30:57 GMT^M Content-Type: text/xml; charset=utf-8^M Content-Length: 2501^M Connection: keep-alive^M Cache-Control: no-cache^M Pragma: no-cache^M X-Frame-Options: SAMEORIGIN^M ^M <?xml version="1.0" encoding="utf-8"?>^M <D:multistatus xmlns:D="DAV:" xmlns:C="urn:ietf:params:xml:ns:carddav"><D:response><D:href>/SOGo/dav/mikey@dev.mike2k.de/Contacts/personal/sabre-vobject-f7104ce9-510f-478c-bd9f-1fa2829a32cb.vcf</D:href><D:propstat><D:prop><D:getetag>"gcs00000000"</D:getetag><C:address-data>BEGIN:VCARD^M VERSION:3.0^M PRODID:-//Sabre//Sabre VObject 4.5.4//EN^M UID:sabre-vobject-f7104ce9-510f-478c-bd9f-1fa2829a32cb^M FN:CardDavClient Test106944330^M N:Test106944330;CardDavClient^M NICKNAME:Jonny0^M EMAIL;TYPE=WORK:doe@big.corp^M EMAIL;TYPE=HOME:johndoe@example.com^M X-CUSTOMPROP;X-CUSTOMPARAM=WORK:foobar^M END:VCARD</C:address-data></D:prop><D:status>HTTP/1.1 200 OK</D:status></D:propstat></D:response><D:response><D:href>/SOGo/dav/mikey@dev.mike2k.de/Contacts/personal/sabre-vobject-31c2d106-2222-41e3-9c68-00114c85812c.vcf</D:href><D:propstat><D:prop><D:getetag>"gcs00000000"</D:getetag><C:address-data>BEGIN:VCARD^M VERSION:3.0^M PRODID:-//Sabre//Sabre VObject 4.5.4//EN^M UID:sabre-vobject-31c2d106-2222-41e3-9c68-00114c85812c^M FN:CardDavClient Test1159176400^M N:Test1159176400;CardDavClient^M NICKNAME:Jonny3^M ITEM1.EMAIL:foo@ex.com^M ITEM1.X-ABLABEL:CustomLabel^M IMPP;TYPE=HOME;X-SERVICE-TYPE=Jabber:xmpp:foo@example.com^M END:VCARD</C:address-data></D:prop><D:status>HTTP/1.1 200 OK</D:status></D:propstat></D:response><D:response><D:href>/SOGo/dav/mikey@dev.mike2k.de/Contacts/personal/sabre-vobject-246ff96d-ef2f-41f3-ba8a-38024e149b7b.vcf</D:href><D:propstat><D:prop><D:getetag>"gcs00000000"</D:getetag><C:address-data>BEGIN:VCARD^M VERSION:3.0^M PRODID:-//Sabre//Sabre VObject 4.5.4//EN^M UID:sabre-vobject-246ff96d-ef2f-41f3-ba8a-38024e149b7b^M FN:CardDavClient Test1608788681^M N:Test1608788681;CardDavClient^M NICKNAME:Jonny2^M TEL;TYPE=HOME:12345^M TEL:555^M END:VCARD</C:address-data></D:prop><D:status>HTTP/1.1 200 OK</D:status></D:propstat></D:response><D:response><D:href>/SOGo/dav/mikey@dev.mike2k.de/Contacts/personal/sabre-vobject-66b901fe-718d-40f9-b194-d09038dbbe8d.vcf</D:href><D:propstat><D:prop><D:getetag>"gcs00000000"</D:getetag><C:address-data>BEGIN:VCARD^M VERSION:3.0^M PRODID:-//Sabre//Sabre VObject 4.5.4//EN^M UID:sabre-vobject-66b901fe-718d-40f9-b194-d09038dbbe8d^M FN:CardDavClient Test162369677^M N:Test162369677;CardDavClient^M NICKNAME:Jonny1^M EMAIL:maxmu@abcd.com^M X-CUSTOMPROP;X-SPACEPARAM="HELLO, WORLD";X-CUSTOMPARAM=HOME,WORK:foobar^M END:VCARD</C:address-data></D:prop><D:status>HTTP/1.1 200 OK</D:status></D:propstat></D:response></D:multistatus> NULL
Additional Information	The addressbook-query report is useful for usage scenarios where the client does not synchronize addressbook contents to a local cache but instead uses addressbook-query to directly query the addressbook server for needed objects. Therefore, it is crucial for good performance that the addressbook server only returns the requested data. Example use case is an E-Mail client that would only be interested in vcards containing an EMAIL property. RFC reference: RFC6352, "CARDDAV:prop-filter XML Element" A vCard property of the type specified by the "name" attribute exists, and the CARDDAV:prop-filter is empty, or [...]
Tags	No tags attached.

mstilkerich

2024-04-15 18:39

reporter ~0017710

Sorry for the broken formatting, I wasn't aware that the text field where accepting some form of markup language. It seems I cannot edit the text anymore. I have attached a text file with the HTTP trace for better readability.

AbookQuery_PropFilterHasProp_OrNotHasProp_Ignored.txt (7,647 bytes)

REPORTED: https://bugs.sogo.nu/view.php?id=5954

Test: Query an addressbook for vcards that have an EMAIL property.
Expected result: Only contacts with an EMAIL property are returned.
Actual result: SOGo appears to ignore prop-filter that tests for presence or absence of a property and returns all cards
  of the addressbook. The VCard with NICKNAME:Jonny0 should not have been part of the result. Similar tests (e.g. search
  vcards that do NOT have an EMAIL property) show similar results.
RFC reference: RFC6352, "CARDDAV:prop-filter XML Element"
  A vCard property of the type specified by the "name" attribute exists, and the CARDDAV:prop-filter is empty, or [...]

[2024-03-31 08:16:38]: [2 NFO] "REPORT /SOGo/dav/mikey@dev.mike2k.de/Contacts/personal/ HTTP/1.1" 207
>>>>>>>>
REPORT /SOGo/dav/mikey@dev.mike2k.de/Contacts/personal/ HTTP/1.1
Content-Length: 353
User-Agent: GuzzleHttp/7
Host: etain.mike2k.de
Depth: 1
Content-Type: application/xml; charset=UTF-8

<?xml version="1.0"?>
<CARDDAV:addressbook-query xmlns:DAV="DAV:" xmlns:CARDDAV="urn:ietf:params:xml:ns:carddav" xmlns:CS="http://calendarserver.org/ns/">
 <DAV:prop>
  <DAV:getetag/>
  <CARDDAV:address-data/>
 </DAV:prop>
 <CARDDAV:filter test="anyof">
  <CARDDAV:prop-filter name="EMAIL" test="anyof"/>
 </CARDDAV:filter>
</CARDDAV:addressbook-query>

<<<<<<<<
HTTP/1.1 207 Multi-Status
Server: nginx
Date: Sun, 31 Mar 2024 08:16:38 GMT
Content-Type: text/xml; charset=utf-8
Content-Length: 2501
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Frame-Options: SAMEORIGIN

<?xml version="1.0" encoding="utf-8"?>
<D:multistatus xmlns:D="DAV:" xmlns:C="urn:ietf:params:xml:ns:carddav"><D:response><D:href>/SOGo/dav/mikey@dev.mike2k.de/Contacts/personal/sabre-vobject-38f17a20-2ac8-4a90-ab13-2ef2241c62f2.vcf</D:href><D:propstat><D:prop><D:getetag>"gcs00000000"</D:getetag><C:address-data>BEGIN:VCARD
VERSION:3.0
PRODID:-//Sabre//Sabre VObject 4.5.4//EN
UID:sabre-vobject-38f17a20-2ac8-4a90-ab13-2ef2241c62f2
FN:CardDavClient Test1700898322
N:Test1700898322;CardDavClient
NICKNAME:Jonny2
TEL;TYPE=HOME:12345
TEL:555
END:VCARD</C:address-data></D:prop><D:status>HTTP/1.1 200 OK</D:status></D:propstat></D:response><D:response><D:href>/SOGo/dav/mikey@dev.mike2k.de/Contacts/personal/sabre-vobject-975454eb-5dd0-4c4d-9fb3-75fb0da13373.vcf</D:href><D:propstat><D:prop><D:getetag>"gcs00000000"</D:getetag><C:address-data>BEGIN:VCARD
VERSION:3.0
PRODID:-//Sabre//Sabre VObject 4.5.4//EN
UID:sabre-vobject-975454eb-5dd0-4c4d-9fb3-75fb0da13373
FN:CardDavClient Test1805300705
N:Test1805300705;CardDavClient
NICKNAME:Jonny0
EMAIL;TYPE=WORK:doe@big.corp
EMAIL;TYPE=HOME:johndoe@example.com
X-CUSTOMPROP;X-CUSTOMPARAM=WORK:foobar
END:VCARD</C:address-data></D:prop><D:status>HTTP/1.1 200 OK</D:status></D:propstat></D:response><D:response><D:href>/SOGo/dav/mikey@dev.mike2k.de/Contacts/personal/sabre-vobject-25d5dbc1-b44a-402d-a686-87c961eb0e3d.vcf</D:href><D:propstat><D:prop><D:getetag>"gcs00000000"</D:getetag><C:address-data>BEGIN:VCARD
VERSION:3.0
PRODID:-//Sabre//Sabre VObject 4.5.4//EN
UID:sabre-vobject-25d5dbc1-b44a-402d-a686-87c961eb0e3d
FN:CardDavClient Test574553324
N:Test574553324;CardDavClient
NICKNAME:Jonny1
EMAIL:maxmu@abcd.com
X-CUSTOMPROP;X-SPACEPARAM=&quot;HELLO, WORLD&quot;;X-CUSTOMPARAM=HOME,WORK:foobar
END:VCARD</C:address-data></D:prop><D:status>HTTP/1.1 200 OK</D:status></D:propstat></D:response><D:response><D:href>/SOGo/dav/mikey@dev.mike2k.de/Contacts/personal/sabre-vobject-2ff7b2e2-4f0b-4a7d-8eb3-52ed6e758df2.vcf</D:href><D:propstat><D:prop><D:getetag>"gcs00000000"</D:getetag><C:address-data>BEGIN:VCARD
VERSION:3.0
PRODID:-//Sabre//Sabre VObject 4.5.4//EN
UID:sabre-vobject-2ff7b2e2-4f0b-4a7d-8eb3-52ed6e758df2
FN:CardDavClient Test766095793
N:Test766095793;CardDavClient
NICKNAME:Jonny3
ITEM1.EMAIL:foo@ex.com
ITEM1.X-ABLABEL:CustomLabel
IMPP;TYPE=HOME;X-SERVICE-TYPE=Jabber:xmpp:foo@example.com
END:VCARD</C:address-data></D:prop><D:status>HTTP/1.1 200 OK</D:status></D:propstat></D:response></D:multistatus>
--------
NULL



TEST 2: Query cards NOT having an EMAIL property also returns all cards.


[2024-04-15 18:30:57]: [2 NFO] "REPORT /SOGo/dav/mikey@dev.mike2k.de/Contacts/personal/ HTTP/1.1" 207
>>>>>>>>
REPORT /SOGo/dav/mikey@dev.mike2k.de/Contacts/personal/ HTTP/1.1
Content-Length: 406
User-Agent: GuzzleHttp/7
Host: etain.mike2k.de
Depth: 1
Content-Type: application/xml; charset=UTF-8

<?xml version="1.0"?>
<CARDDAV:addressbook-query xmlns:DAV="DAV:" xmlns:CARDDAV="urn:ietf:params:xml:ns:carddav" xmlns:CS="http://calendarserver.org/ns/">
 <DAV:prop>
  <DAV:getetag/>
  <CARDDAV:address-data/>
 </DAV:prop>
 <CARDDAV:filter test="anyof">
  <CARDDAV:prop-filter name="EMAIL" test="anyof">
   <CARDDAV:is-not-defined/>
  </CARDDAV:prop-filter>
 </CARDDAV:filter>
</CARDDAV:addressbook-query>

<<<<<<<<
HTTP/1.1 207 Multi-Status
Server: nginx
Date: Mon, 15 Apr 2024 18:30:57 GMT
Content-Type: text/xml; charset=utf-8
Content-Length: 2501
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Frame-Options: SAMEORIGIN

<?xml version="1.0" encoding="utf-8"?>
<D:multistatus xmlns:D="DAV:" xmlns:C="urn:ietf:params:xml:ns:carddav"><D:response><D:href>/SOGo/dav/mikey@dev.mike2k.de/Contacts/personal/sabre-vobject-f7104ce9-510f-478c-bd9f-1fa2829a32cb.vcf</D:href><D:propstat><D:prop><D:getetag>"gcs00000000"</D:getetag><C:address-data>BEGIN:VCARD
VERSION:3.0
PRODID:-//Sabre//Sabre VObject 4.5.4//EN
UID:sabre-vobject-f7104ce9-510f-478c-bd9f-1fa2829a32cb
FN:CardDavClient Test106944330
N:Test106944330;CardDavClient
NICKNAME:Jonny0
EMAIL;TYPE=WORK:doe@big.corp
EMAIL;TYPE=HOME:johndoe@example.com
X-CUSTOMPROP;X-CUSTOMPARAM=WORK:foobar
END:VCARD</C:address-data></D:prop><D:status>HTTP/1.1 200 OK</D:status></D:propstat></D:response><D:response><D:href>/SOGo/dav/mikey@dev.mike2k.de/Contacts/personal/sabre-vobject-31c2d106-2222-41e3-9c68-00114c85812c.vcf</D:href><D:propstat><D:prop><D:getetag>"gcs00000000"</D:getetag><C:address-data>BEGIN:VCARD
VERSION:3.0
PRODID:-//Sabre//Sabre VObject 4.5.4//EN
UID:sabre-vobject-31c2d106-2222-41e3-9c68-00114c85812c
FN:CardDavClient Test1159176400
N:Test1159176400;CardDavClient
NICKNAME:Jonny3
ITEM1.EMAIL:foo@ex.com
ITEM1.X-ABLABEL:CustomLabel
IMPP;TYPE=HOME;X-SERVICE-TYPE=Jabber:xmpp:foo@example.com
END:VCARD</C:address-data></D:prop><D:status>HTTP/1.1 200 OK</D:status></D:propstat></D:response><D:response><D:href>/SOGo/dav/mikey@dev.mike2k.de/Contacts/personal/sabre-vobject-246ff96d-ef2f-41f3-ba8a-38024e149b7b.vcf</D:href><D:propstat><D:prop><D:getetag>"gcs00000000"</D:getetag><C:address-data>BEGIN:VCARD
VERSION:3.0
PRODID:-//Sabre//Sabre VObject 4.5.4//EN
UID:sabre-vobject-246ff96d-ef2f-41f3-ba8a-38024e149b7b
FN:CardDavClient Test1608788681
N:Test1608788681;CardDavClient
NICKNAME:Jonny2
TEL;TYPE=HOME:12345
TEL:555
END:VCARD</C:address-data></D:prop><D:status>HTTP/1.1 200 OK</D:status></D:propstat></D:response><D:response><D:href>/SOGo/dav/mikey@dev.mike2k.de/Contacts/personal/sabre-vobject-66b901fe-718d-40f9-b194-d09038dbbe8d.vcf</D:href><D:propstat><D:prop><D:getetag>"gcs00000000"</D:getetag><C:address-data>BEGIN:VCARD
VERSION:3.0
PRODID:-//Sabre//Sabre VObject 4.5.4//EN
UID:sabre-vobject-66b901fe-718d-40f9-b194-d09038dbbe8d
FN:CardDavClient Test162369677
N:Test162369677;CardDavClient
NICKNAME:Jonny1
EMAIL:maxmu@abcd.com
X-CUSTOMPROP;X-SPACEPARAM=&quot;HELLO, WORLD&quot;;X-CUSTOMPARAM=HOME,WORK:foobar
END:VCARD</C:address-data></D:prop><D:status>HTTP/1.1 200 OK</D:status></D:propstat></D:response></D:multistatus>
--------
NULL

AbookQuery_PropFilterHasProp_OrNotHasProp_Ignored.txt (7,647 bytes)

Date Modified	Username	Field
2024-04-15 18:33	mstilkerich	New Issue
2024-04-15 18:39	mstilkerich	Note Added: 0017710
2024-04-15 18:39	mstilkerich	File Added: AbookQuery_PropFilterHasProp_OrNotHasProp_Ignored.txt

View Issue Details

Activities

Issue History