khal icon indicating copy to clipboard operation
khal copied to clipboard
verified publisher icon pimutils

khal accepts events missing the TZOFFSETTO and TZOFFSETFROM properties

Open Phenitei opened this issue 5 years ago • 3 comments

Ave,

Thank you for your awesome work on khal!

It appears that khal does not sufficiently validate ICS files it is asked to import: in particular it does not verify for the presence of the tzoffsetto and tzoffsetfrom properties in the "STANDARD" and "DAYLIGHT" subcomponents of the "VTIMEZONE" component. This allows for importing events that will then break other clients after synchronization (e.g. Davx⁵).

It will also accept events without a PRODID, silently adding itself as a PRODID. I don't think that's a problem, but I just thought I'd mention it too.

Example accepted file (slimmed down from a real-world ICS offered by some random website):

BEGIN:VCALENDAR
VERSION:2.0
METHOD:PUBLISH
BEGIN:VTIMEZONE
TZID:Europe/Zurich
BEGIN:STANDARD
RRULE:FREQ=YEARLY;BYMONTH=3;BYDAY=-1SU
DTSTART:19810329T020000
END:STANDARD
BEGIN:DAYLIGHT
RRULE:FREQ=YEARLY;BYMONTH=3;BYDAY=-1SU
DTSTART:19810329T020000
END:DAYLIGHT
END:VTIMEZONE
BEGIN:VEVENT
CLASS:PUBLIC
CREATED:20200908T142600
DTEND;TZID=Europe/Zurich:20201029T221500
DTSTAMP;TZID=Europe/Zurich:20200908T142600
DTSTART;TZID=Europe/Zurich:20201029T204500
TRANSP:OPAQUE
UID:25b2ac7d-0ec9-43f2-91ba-ac869838f922
END:VEVENT
END:VCALENDAR

iCalendar validator output:

Missing required PRODID property near line # 1
Reference: RFC 5545 3.6. Calendar Components
Missing required TZOFFSETTO property near line # 6
Reference: RFC 5545 3.6.5. Time Zone Component
Missing required TZOFFSETFROM property near line # 6
Reference: RFC 5545 3.6.5. Time Zone Component
Missing required TZOFFSETTO property near line # 10
Reference: RFC 5545 3.6.5. Time Zone Component
Missing required TZOFFSETFROM property near line # 10
Reference: RFC 5545 3.6.5. Time Zone Component

OS/Distribuiton: GNU/Linux, Arch Linux Khal version: khal, version 0.10.2 Vdirsyncer version: vdirsyncer, version 0.16.9.dev0+gb5dd092.d20200713

Please ask if I can provide any additional useful information.

Phenitei avatar Oct 18 '20 12:10 Phenitei

Hi @Phenitei and thank you for your report.

I read the rfc5545 and all is not so clear for me but I'll try to figure out how TZOFFSETFROM and TZOFFSETTO` work.If someone have some documentation...

ephase avatar Oct 19 '20 20:10 ephase

Those VTIMEZONEs are definitively broken. The issue is, we are not parsing them at all, but icalendar (the library khal uses for handling icalendar files) looks at the TZID first and if it knows them, uses the known TZ information instead.

What we could do, is build in an additional validator and at least throw a warning when a broken .ics file is being imported.

@Phenitei Did you use the import command for importing those .ics files?

geier avatar May 12 '21 21:05 geier

@geier Thank you for your answer :)

Yes, I have used the import command. It would indeed make sense to validate the file recieved as an input; though this seems to be a problem with the icalendar library then - it should not accept an invalid file, even if it recognizes the TZID. I'll open an issue there too.

ghost avatar May 13 '21 13:05 ghost