0005954: CardDAV addressbook-query report does not evaluate prop-filter test for (non-)existence of a property - SOGo | BTS

ID	Project	Category	View Status	Date Submitted	Last Update

0005954	SOGo	Backend Address Book	public	2024-04-15 18:33	2025-03-13 13:52

Reporter	mstilkerich	Assigned To
Priority	normal	Severity	minor	Reproducibility	always
Status	new	Resolution	open
Platform	Server	OS	Debian	OS Version	11
Product Version	5.10.0

Summary	0005954: CardDAV addressbook-query report does not evaluate prop-filter test for (non-)existence of a property
Description	The CardDAV addressbook-query report supports searching for vcards that have (or do not have) a given property, independent of its value. SOGo appears to ignore such prop-filter elements and instead returns all cards.
Steps To Reproduce	Here is a trace of the request (Authorization header stripped). The request asks for all vcards containing an EMAIL property. The answer contains the entire addressbook (it is from a test suite and the addressbook only has these four cards), the first card in the answer is not expected. [2024-03-31 08:16:38]: [2 NFO] "REPORT /SOGo/dav/mikey@dev.mike2k.de/Contacts/personal/ HTTP/1.1" 207 >>>>>>>> REPORT /SOGo/dav/mikey@dev.mike2k.de/Contacts/personal/ HTTP/1.1^M Content-Length: 353^M User-Agent: GuzzleHttp/7^M Host: etain.mike2k.de^M Depth: 1^M Content-Type: application/xml; charset=UTF-8^M ^M <?xml version="1.0"?> <CARDDAV:addressbook-query xmlns:DAV="DAV:" xmlns:CARDDAV="urn:ietf:params:xml:ns:carddav" xmlns:CS="http://calendarserver.org/ns/"> <DAV:prop> <DAV:getetag/> <CARDDAV:address-data/> </DAV:prop> <CARDDAV:filter test="anyof"> <CARDDAV:prop-filter name="EMAIL" test="anyof"/> </CARDDAV:filter> </CARDDAV:addressbook-query> <<<<<<<< HTTP/1.1 207 Multi-Status^M Server: nginx^M Date: Sun, 31 Mar 2024 08:16:38 GMT^M Content-Type: text/xml; charset=utf-8^M Content-Length: 2501^M Connection: keep-alive^M Cache-Control: no-cache^M Pragma: no-cache^M X-Frame-Options: SAMEORIGIN^M ^M <?xml version="1.0" encoding="utf-8"?>^M <D:multistatus xmlns:D="DAV:" xmlns:C="urn:ietf:params:xml:ns:carddav"><D:response><D:href>/SOGo/dav/mikey@dev.mike2k.de/Contacts/personal/sabre-vobject-38f17a20-2ac8-4a90-ab13-2ef2241c62f2.vcf</D:href><D:propstat><D:prop><D:getetag>"gcs00000000"</D:getetag><C:address-data>BEGIN:VCARD^M VERSION:3.0^M PRODID:-//Sabre//Sabre VObject 4.5.4//EN^M UID:sabre-vobject-38f17a20-2ac8-4a90-ab13-2ef2241c62f2^M FN:CardDavClient Test1700898322^M N:Test1700898322;CardDavClient^M NICKNAME:Jonny2^M TEL;TYPE=HOME:12345^M TEL:555^M END:VCARD</C:address-data></D:prop><D:status>HTTP/1.1 200 OK</D:status></D:propstat></D:response><D:response><D:href>/SOGo/dav/mikey@dev.mike2k.de/Contacts/personal/sabre-vobject-975454eb-5dd0-4c4d-9fb3-75fb0da13373.vcf</D:href><D:propstat><D:prop><D:getetag>"gcs00000000"</D:getetag><C:address-data>BEGIN:VCARD^M VERSION:3.0^M PRODID:-//Sabre//Sabre VObject 4.5.4//EN^M UID:sabre-vobject-975454eb-5dd0-4c4d-9fb3-75fb0da13373^M FN:CardDavClient Test1805300705^M N:Test1805300705;CardDavClient^M NICKNAME:Jonny0^M EMAIL;TYPE=WORK:doe@big.corp^M EMAIL;TYPE=HOME:johndoe@example.com^M X-CUSTOMPROP;X-CUSTOMPARAM=WORK:foobar^M END:VCARD</C:address-data></D:prop><D:status>HTTP/1.1 200 OK</D:status></D:propstat></D:response><D:response><D:href>/SOGo/dav/mikey@dev.mike2k.de/Contacts/personal/sabre-vobject-25d5dbc1-b44a-402d-a686-87c961eb0e3d.vcf</D:href><D:propstat><D:prop><D:getetag>"gcs00000000"</D:getetag><C:address-data>BEGIN:VCARD^M VERSION:3.0^M PRODID:-//Sabre//Sabre VObject 4.5.4//EN^M UID:sabre-vobject-25d5dbc1-b44a-402d-a686-87c961eb0e3d^M FN:CardDavClient Test574553324^M N:Test574553324;CardDavClient^M NICKNAME:Jonny1^M EMAIL:maxmu@abcd.com^M X-CUSTOMPROP;X-SPACEPARAM="HELLO, WORLD";X-CUSTOMPARAM=HOME,WORK:foobar^M END:VCARD</C:address-data></D:prop><D:status>HTTP/1.1 200 OK</D:status></D:propstat></D:response><D:response><D:href>/SOGo/dav/mikey@dev.mike2k.de/Contacts/personal/sabre-vobject-2ff7b2e2-4f0b-4a7d-8eb3-52ed6e758df2.vcf</D:href><D:propstat><D:prop><D:getetag>"gcs00000000"</D:getetag><C:address-data>BEGIN:VCARD^M VERSION:3.0^M PRODID:-//Sabre//Sabre VObject 4.5.4//EN^M UID:sabre-vobject-2ff7b2e2-4f0b-4a7d-8eb3-52ed6e758df2^M FN:CardDavClient Test766095793^M N:Test766095793;CardDavClient^M NICKNAME:Jonny3^M ITEM1.EMAIL:foo@ex.com^M ITEM1.X-ABLABEL:CustomLabel^M IMPP;TYPE=HOME;X-SERVICE-TYPE=Jabber:xmpp:foo@example.com^M END:VCARD</C:address-data></D:prop><D:status>HTTP/1.1 200 OK</D:status></D:propstat></D:response></D:multistatus> -------- NULL Second test which queries cards NOT having an EMAIL property also returns the entire addressbook: [2024-04-15 18:30:57]: [2 NFO] "REPORT /SOGo/dav/mikey@dev.mike2k.de/Contacts/personal/ HTTP/1.1" 207 >>>>>>>> REPORT /SOGo/dav/mikey@dev.mike2k.de/Contacts/personal/ HTTP/1.1^M Content-Length: 406^M User-Agent: GuzzleHttp/7^M Host: etain.mike2k.de^M Depth: 1^M Content-Type: application/xml; charset=UTF-8^M ^M <?xml version="1.0"?> <CARDDAV:addressbook-query xmlns:DAV="DAV:" xmlns:CARDDAV="urn:ietf:params:xml:ns:carddav" xmlns:CS="http://calendarserver.org/ns/"> <DAV:prop> <DAV:getetag/> <CARDDAV:address-data/> </DAV:prop> <CARDDAV:filter test="anyof"> <CARDDAV:prop-filter name="EMAIL" test="anyof"> <CARDDAV:is-not-defined/> </CARDDAV:prop-filter> </CARDDAV:filter> </CARDDAV:addressbook-query> <<<<<<<< HTTP/1.1 207 Multi-Status^M Server: nginx^M Date: Mon, 15 Apr 2024 18:30:57 GMT^M Content-Type: text/xml; charset=utf-8^M Content-Length: 2501^M Connection: keep-alive^M Cache-Control: no-cache^M Pragma: no-cache^M X-Frame-Options: SAMEORIGIN^M ^M <?xml version="1.0" encoding="utf-8"?>^M <D:multistatus xmlns:D="DAV:" xmlns:C="urn:ietf:params:xml:ns:carddav"><D:response><D:href>/SOGo/dav/mikey@dev.mike2k.de/Contacts/personal/sabre-vobject-f7104ce9-510f-478c-bd9f-1fa2829a32cb.vcf</D:href><D:propstat><D:prop><D:getetag>"gcs00000000"</D:getetag><C:address-data>BEGIN:VCARD^M VERSION:3.0^M PRODID:-//Sabre//Sabre VObject 4.5.4//EN^M UID:sabre-vobject-f7104ce9-510f-478c-bd9f-1fa2829a32cb^M FN:CardDavClient Test106944330^M N:Test106944330;CardDavClient^M NICKNAME:Jonny0^M EMAIL;TYPE=WORK:doe@big.corp^M EMAIL;TYPE=HOME:johndoe@example.com^M X-CUSTOMPROP;X-CUSTOMPARAM=WORK:foobar^M END:VCARD</C:address-data></D:prop><D:status>HTTP/1.1 200 OK</D:status></D:propstat></D:response><D:response><D:href>/SOGo/dav/mikey@dev.mike2k.de/Contacts/personal/sabre-vobject-31c2d106-2222-41e3-9c68-00114c85812c.vcf</D:href><D:propstat><D:prop><D:getetag>"gcs00000000"</D:getetag><C:address-data>BEGIN:VCARD^M VERSION:3.0^M PRODID:-//Sabre//Sabre VObject 4.5.4//EN^M UID:sabre-vobject-31c2d106-2222-41e3-9c68-00114c85812c^M FN:CardDavClient Test1159176400^M N:Test1159176400;CardDavClient^M NICKNAME:Jonny3^M ITEM1.EMAIL:foo@ex.com^M ITEM1.X-ABLABEL:CustomLabel^M IMPP;TYPE=HOME;X-SERVICE-TYPE=Jabber:xmpp:foo@example.com^M END:VCARD</C:address-data></D:prop><D:status>HTTP/1.1 200 OK</D:status></D:propstat></D:response><D:response><D:href>/SOGo/dav/mikey@dev.mike2k.de/Contacts/personal/sabre-vobject-246ff96d-ef2f-41f3-ba8a-38024e149b7b.vcf</D:href><D:propstat><D:prop><D:getetag>"gcs00000000"</D:getetag><C:address-data>BEGIN:VCARD^M VERSION:3.0^M PRODID:-//Sabre//Sabre VObject 4.5.4//EN^M UID:sabre-vobject-246ff96d-ef2f-41f3-ba8a-38024e149b7b^M FN:CardDavClient Test1608788681^M N:Test1608788681;CardDavClient^M NICKNAME:Jonny2^M TEL;TYPE=HOME:12345^M TEL:555^M END:VCARD</C:address-data></D:prop><D:status>HTTP/1.1 200 OK</D:status></D:propstat></D:response><D:response><D:href>/SOGo/dav/mikey@dev.mike2k.de/Contacts/personal/sabre-vobject-66b901fe-718d-40f9-b194-d09038dbbe8d.vcf</D:href><D:propstat><D:prop><D:getetag>"gcs00000000"</D:getetag><C:address-data>BEGIN:VCARD^M VERSION:3.0^M PRODID:-//Sabre//Sabre VObject 4.5.4//EN^M UID:sabre-vobject-66b901fe-718d-40f9-b194-d09038dbbe8d^M FN:CardDavClient Test162369677^M N:Test162369677;CardDavClient^M NICKNAME:Jonny1^M EMAIL:maxmu@abcd.com^M X-CUSTOMPROP;X-SPACEPARAM="HELLO, WORLD";X-CUSTOMPARAM=HOME,WORK:foobar^M END:VCARD</C:address-data></D:prop><D:status>HTTP/1.1 200 OK</D:status></D:propstat></D:response></D:multistatus> -------- NULL
Additional Information	The addressbook-query report is useful for usage scenarios where the client does not synchronize addressbook contents to a local cache but instead uses addressbook-query to directly query the addressbook server for needed objects. Therefore, it is crucial for good performance that the addressbook server only returns the requested data. Example use case is an E-Mail client that would only be interested in vcards containing an EMAIL property. RFC reference: RFC6352, "CARDDAV:prop-filter XML Element" A vCard property of the type specified by the "name" attribute exists, and the CARDDAV:prop-filter is empty, or [...]
Tags	No tags attached.

mstilkerich 2024-04-15 18:39 reporter ~0017710	Sorry for the broken formatting, I wasn't aware that the text field where accepting some form of markup language. It seems I cannot edit the text anymore. I have attached a text file with the HTTP trace for better readability. AbookQuery_PropFilterHasProp_OrNotHasProp_Ignored.txt (7,647 bytes) REPORTED: https://bugs.sogo.nu/view.php?id=5954 Test: Query an addressbook for vcards that have an EMAIL property. Expected result: Only contacts with an EMAIL property are returned. Actual result: SOGo appears to ignore prop-filter that tests for presence or absence of a property and returns all cards of the addressbook. The VCard with NICKNAME:Jonny0 should not have been part of the result. Similar tests (e.g. search vcards that do NOT have an EMAIL property) show similar results. RFC reference: RFC6352, "CARDDAV:prop-filter XML Element" A vCard property of the type specified by the "name" attribute exists, and the CARDDAV:prop-filter is empty, or [...] [2024-03-31 08:16:38]: [2 NFO] "REPORT /SOGo/dav/mikey@dev.mike2k.de/Contacts/personal/ HTTP/1.1" 207 >>>>>>>> REPORT /SOGo/dav/mikey@dev.mike2k.de/Contacts/personal/ HTTP/1.1 Content-Length: 353 User-Agent: GuzzleHttp/7 Host: etain.mike2k.de Depth: 1 Content-Type: application/xml; charset=UTF-8 <?xml version="1.0"?> <CARDDAV:addressbook-query xmlns:DAV="DAV:" xmlns:CARDDAV="urn:ietf:params:xml:ns:carddav" xmlns:CS="http://calendarserver.org/ns/"> <DAV:prop> <DAV:getetag/> <CARDDAV:address-data/> </DAV:prop> <CARDDAV:filter test="anyof"> <CARDDAV:prop-filter name="EMAIL" test="anyof"/> </CARDDAV:filter> </CARDDAV:addressbook-query> <<<<<<<< HTTP/1.1 207 Multi-Status Server: nginx Date: Sun, 31 Mar 2024 08:16:38 GMT Content-Type: text/xml; charset=utf-8 Content-Length: 2501 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Frame-Options: SAMEORIGIN <?xml version="1.0" encoding="utf-8"?> <D:multistatus xmlns:D="DAV:" xmlns:C="urn:ietf:params:xml:ns:carddav"><D:response><D:href>/SOGo/dav/mikey@dev.mike2k.de/Contacts/personal/sabre-vobject-38f17a20-2ac8-4a90-ab13-2ef2241c62f2.vcf</D:href><D:propstat><D:prop><D:getetag>"gcs00000000"</D:getetag><C:address-data>BEGIN:VCARD VERSION:3.0 PRODID:-//Sabre//Sabre VObject 4.5.4//EN UID:sabre-vobject-38f17a20-2ac8-4a90-ab13-2ef2241c62f2 FN:CardDavClient Test1700898322 N:Test1700898322;CardDavClient NICKNAME:Jonny2 TEL;TYPE=HOME:12345 TEL:555 END:VCARD</C:address-data></D:prop><D:status>HTTP/1.1 200 OK</D:status></D:propstat></D:response><D:response><D:href>/SOGo/dav/mikey@dev.mike2k.de/Contacts/personal/sabre-vobject-975454eb-5dd0-4c4d-9fb3-75fb0da13373.vcf</D:href><D:propstat><D:prop><D:getetag>"gcs00000000"</D:getetag><C:address-data>BEGIN:VCARD VERSION:3.0 PRODID:-//Sabre//Sabre VObject 4.5.4//EN UID:sabre-vobject-975454eb-5dd0-4c4d-9fb3-75fb0da13373 FN:CardDavClient Test1805300705 N:Test1805300705;CardDavClient NICKNAME:Jonny0 EMAIL;TYPE=WORK:doe@big.corp EMAIL;TYPE=HOME:johndoe@example.com X-CUSTOMPROP;X-CUSTOMPARAM=WORK:foobar END:VCARD</C:address-data></D:prop><D:status>HTTP/1.1 200 OK</D:status></D:propstat></D:response><D:response><D:href>/SOGo/dav/mikey@dev.mike2k.de/Contacts/personal/sabre-vobject-25d5dbc1-b44a-402d-a686-87c961eb0e3d.vcf</D:href><D:propstat><D:prop><D:getetag>"gcs00000000"</D:getetag><C:address-data>BEGIN:VCARD VERSION:3.0 PRODID:-//Sabre//Sabre VObject 4.5.4//EN UID:sabre-vobject-25d5dbc1-b44a-402d-a686-87c961eb0e3d FN:CardDavClient Test574553324 N:Test574553324;CardDavClient NICKNAME:Jonny1 EMAIL:maxmu@abcd.com X-CUSTOMPROP;X-SPACEPARAM="HELLO, WORLD";X-CUSTOMPARAM=HOME,WORK:foobar END:VCARD</C:address-data></D:prop><D:status>HTTP/1.1 200 OK</D:status></D:propstat></D:response><D:response><D:href>/SOGo/dav/mikey@dev.mike2k.de/Contacts/personal/sabre-vobject-2ff7b2e2-4f0b-4a7d-8eb3-52ed6e758df2.vcf</D:href><D:propstat><D:prop><D:getetag>"gcs00000000"</D:getetag><C:address-data>BEGIN:VCARD VERSION:3.0 PRODID:-//Sabre//Sabre VObject 4.5.4//EN UID:sabre-vobject-2ff7b2e2-4f0b-4a7d-8eb3-52ed6e758df2 FN:CardDavClient Test766095793 N:Test766095793;CardDavClient NICKNAME:Jonny3 ITEM1.EMAIL:foo@ex.com ITEM1.X-ABLABEL:CustomLabel IMPP;TYPE=HOME;X-SERVICE-TYPE=Jabber:xmpp:foo@example.com END:VCARD</C:address-data></D:prop><D:status>HTTP/1.1 200 OK</D:status></D:propstat></D:response></D:multistatus> -------- NULL TEST 2: Query cards NOT having an EMAIL property also returns all cards. [2024-04-15 18:30:57]: [2 NFO] "REPORT /SOGo/dav/mikey@dev.mike2k.de/Contacts/personal/ HTTP/1.1" 207 >>>>>>>> REPORT /SOGo/dav/mikey@dev.mike2k.de/Contacts/personal/ HTTP/1.1 Content-Length: 406 User-Agent: GuzzleHttp/7 Host: etain.mike2k.de Depth: 1 Content-Type: application/xml; charset=UTF-8 <?xml version="1.0"?> <CARDDAV:addressbook-query xmlns:DAV="DAV:" xmlns:CARDDAV="urn:ietf:params:xml:ns:carddav" xmlns:CS="http://calendarserver.org/ns/"> <DAV:prop> <DAV:getetag/> <CARDDAV:address-data/> </DAV:prop> <CARDDAV:filter test="anyof"> <CARDDAV:prop-filter name="EMAIL" test="anyof"> <CARDDAV:is-not-defined/> </CARDDAV:prop-filter> </CARDDAV:filter> </CARDDAV:addressbook-query> <<<<<<<< HTTP/1.1 207 Multi-Status Server: nginx Date: Mon, 15 Apr 2024 18:30:57 GMT Content-Type: text/xml; charset=utf-8 Content-Length: 2501 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Frame-Options: SAMEORIGIN <?xml version="1.0" encoding="utf-8"?> <D:multistatus xmlns:D="DAV:" xmlns:C="urn:ietf:params:xml:ns:carddav"><D:response><D:href>/SOGo/dav/mikey@dev.mike2k.de/Contacts/personal/sabre-vobject-f7104ce9-510f-478c-bd9f-1fa2829a32cb.vcf</D:href><D:propstat><D:prop><D:getetag>"gcs00000000"</D:getetag><C:address-data>BEGIN:VCARD VERSION:3.0 PRODID:-//Sabre//Sabre VObject 4.5.4//EN UID:sabre-vobject-f7104ce9-510f-478c-bd9f-1fa2829a32cb FN:CardDavClient Test106944330 N:Test106944330;CardDavClient NICKNAME:Jonny0 EMAIL;TYPE=WORK:doe@big.corp EMAIL;TYPE=HOME:johndoe@example.com X-CUSTOMPROP;X-CUSTOMPARAM=WORK:foobar END:VCARD</C:address-data></D:prop><D:status>HTTP/1.1 200 OK</D:status></D:propstat></D:response><D:response><D:href>/SOGo/dav/mikey@dev.mike2k.de/Contacts/personal/sabre-vobject-31c2d106-2222-41e3-9c68-00114c85812c.vcf</D:href><D:propstat><D:prop><D:getetag>"gcs00000000"</D:getetag><C:address-data>BEGIN:VCARD VERSION:3.0 PRODID:-//Sabre//Sabre VObject 4.5.4//EN UID:sabre-vobject-31c2d106-2222-41e3-9c68-00114c85812c FN:CardDavClient Test1159176400 N:Test1159176400;CardDavClient NICKNAME:Jonny3 ITEM1.EMAIL:foo@ex.com ITEM1.X-ABLABEL:CustomLabel IMPP;TYPE=HOME;X-SERVICE-TYPE=Jabber:xmpp:foo@example.com END:VCARD</C:address-data></D:prop><D:status>HTTP/1.1 200 OK</D:status></D:propstat></D:response><D:response><D:href>/SOGo/dav/mikey@dev.mike2k.de/Contacts/personal/sabre-vobject-246ff96d-ef2f-41f3-ba8a-38024e149b7b.vcf</D:href><D:propstat><D:prop><D:getetag>"gcs00000000"</D:getetag><C:address-data>BEGIN:VCARD VERSION:3.0 PRODID:-//Sabre//Sabre VObject 4.5.4//EN UID:sabre-vobject-246ff96d-ef2f-41f3-ba8a-38024e149b7b FN:CardDavClient Test1608788681 N:Test1608788681;CardDavClient NICKNAME:Jonny2 TEL;TYPE=HOME:12345 TEL:555 END:VCARD</C:address-data></D:prop><D:status>HTTP/1.1 200 OK</D:status></D:propstat></D:response><D:response><D:href>/SOGo/dav/mikey@dev.mike2k.de/Contacts/personal/sabre-vobject-66b901fe-718d-40f9-b194-d09038dbbe8d.vcf</D:href><D:propstat><D:prop><D:getetag>"gcs00000000"</D:getetag><C:address-data>BEGIN:VCARD VERSION:3.0 PRODID:-//Sabre//Sabre VObject 4.5.4//EN UID:sabre-vobject-66b901fe-718d-40f9-b194-d09038dbbe8d FN:CardDavClient Test162369677 N:Test162369677;CardDavClient NICKNAME:Jonny1 EMAIL:maxmu@abcd.com X-CUSTOMPROP;X-SPACEPARAM="HELLO, WORLD";X-CUSTOMPARAM=HOME,WORK:foobar END:VCARD</C:address-data></D:prop><D:status>HTTP/1.1 200 OK</D:status></D:propstat></D:response></D:multistatus> -------- NULL AbookQuery_PropFilterHasProp_OrNotHasProp_Ignored.txt (7,647 bytes)

Christian Mack 2025-03-13 13:52 developer ~0018118	Escaped logs

Date Modified	Username	Field	Change
2024-04-15 18:33	mstilkerich	New Issue
2024-04-15 18:39	mstilkerich	Note Added: 0017710
2024-04-15 18:39	mstilkerich	File Added: AbookQuery_PropFilterHasProp_OrNotHasProp_Ignored.txt
2025-03-13 13:52	Christian Mack	Steps to Reproduce Updated
2025-03-13 13:52	Christian Mack	Note Added: 0018118