2014/09/18

Yahoo!'s CardDAV server may have introduced a new bug!

Yahoo!'s CardDAV server may have introduced a new bug!


Today (2014-09-19), someone just reported a strange behavior while using EVO Collaborator for Outlook (which is a CardDAV client for Outlook).




The behavior occurs when you try to create a new contact via CardDAV protocol to Yahoo!'s carddav.address.yahoo.com server. No new contact is ever created. Yet, an existing contact is erased!

What a terrible problem! We tried to investigate the cause. First, we attempted to read RFC again; the RFC document for CardDAV is RFC6352

In section 6.3.2 Creating Address Object Resources, there it says:


When servers create new resources, it's not hard for the server to choose a unique URL. It's slightly tougher for clients, because a client might not want to examine all resources in the collection and might not want to lock the entire collection to ensure that a new one isn't created with a name collision. However, there is an HTTP feature to mitigate this. If the client intends to create a new address resource, the client SHOULD use the HTTP header "If-None- Match: *" on the PUT request. The Request-URI on the PUT request MUST include the target collection, where the resource is to be created, plus the name of the resource in the last path segment. The "If-None-Match" header ensures that the client will not inadvertently overwrite an existing resource even if the last path segment turned out to already be used.
After detailed and thorough tests, we are certain that the PUT request made by ECO is totally compatible with what the RFC says. Now we are almost certain that the problem is caused by  Yahoo!'s server.

But we still need a very strong evidence to confirm this. So, I added an Yahoo!'s carddav account on my iPhone, using "App password" (the yahoo password no longer works) and Viola! The same error happens with iPhone that when you create a new contact, it erases an existing one..

I hope Yahoo! can fix this soon!