Description
When saving an event from the Calendar web UI, the client sends a CalDAV PUT request for the event .ics resource with a duplicated charset parameter in the Content-Type header.
Observed sanitized request shape:
PUT /remote.php/dav/calendars/<user>/<calendar>/<uid>.ics
Content-Type: text/calendar; charset=UTF-8; component=vevent; charset=UTF-8
Because charset=UTF-8 appears twice, OWASP CRS / ModSecurity rule 920530 detects this as:
Multiple charsets detected in content type header
The WAF interrupts the request, so the event update fails. In the captured transaction the response status was 404 and transaction.is_interrupted was true.
Expected behavior
Calendar should send a valid Content-Type header with only one charset parameter, for example:
Content-Type: text/calendar; charset=UTF-8; component=vevent
or otherwise avoid duplicating charset when adding the VEVENT component parameter.
Actual behavior
Calendar sends:
Content-Type: text/calendar; charset=UTF-8; component=vevent; charset=UTF-8
This triggers OWASP CRS / ModSecurity rule 920530, causing the request to be blocked/interrupted.
Steps to reproduce
- Open Nextcloud Calendar in Chrome on mobile.
- Edit an existing calendar event.
- Save the event.
- Inspect the resulting
PUT request to /remote.php/dav/calendars/<user>/<calendar>/<uid>.ics.
- Observe that the
Content-Type header contains charset=UTF-8 twice.
- With ModSecurity and OWASP CRS enabled, observe rule
920530 blocking the request.
Sanitized ModSecurity details
Request method: PUT
Request URI: /remote.php/dav/calendars/<user>/<calendar>/<uid>.ics
Relevant header: Content-Type: text/calendar; charset=UTF-8; component=vevent; charset=UTF-8
Response status: 404
Interrupted: true
ModSecurity: ModSecurity v3.0.15 (Linux)
Connector: ModSecurity-nginx v1.0.4
OWASP CRS: 4.25.0
Rule ID: 920530
Rule file: REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Rule message: Multiple charsets detected in content type header
Matched data: text/calendar; charset=utf-8; component=vevent; charset=utf-8
Rule tags: attack-protocol, paranoia-level/1, OWASP_CRS/PROTOCOL-ENFORCEMENT
Private domain, username, IP addresses, cookies, request token, session identifiers, ETag, Cloudflare request identifiers, and server identifiers have been removed.
Environment
- Nextcloud Server version: unknown
- Calendar app version: unknown
- Browser: Chrome mobile on Android
- Reverse proxy / WAF: ModSecurity with OWASP Core Rule Set enabled
- ModSecurity version: 3.0.15
- ModSecurity nginx connector: 1.0.4
- OWASP CRS version: 4.25.0
Related references
This may be related to previous Content-Type handling work in the CalDAV library:
Description
When saving an event from the Calendar web UI, the client sends a CalDAV
PUTrequest for the event.icsresource with a duplicatedcharsetparameter in theContent-Typeheader.Observed sanitized request shape:
Because
charset=UTF-8appears twice, OWASP CRS / ModSecurity rule920530detects this as:The WAF interrupts the request, so the event update fails. In the captured transaction the response status was
404andtransaction.is_interruptedwastrue.Expected behavior
Calendar should send a valid
Content-Typeheader with only onecharsetparameter, for example:Content-Type: text/calendar; charset=UTF-8; component=veventor otherwise avoid duplicating
charsetwhen adding the VEVENT component parameter.Actual behavior
Calendar sends:
Content-Type: text/calendar; charset=UTF-8; component=vevent; charset=UTF-8This triggers OWASP CRS / ModSecurity rule
920530, causing the request to be blocked/interrupted.Steps to reproduce
PUTrequest to/remote.php/dav/calendars/<user>/<calendar>/<uid>.ics.Content-Typeheader containscharset=UTF-8twice.920530blocking the request.Sanitized ModSecurity details
Private domain, username, IP addresses, cookies, request token, session identifiers, ETag, Cloudflare request identifiers, and server identifiers have been removed.
Environment
Related references
This may be related to previous Content-Type handling work in the CalDAV library: