Remove IcalError from caldav/carddav since it had an ambiguous status code

crates/caldav/src/calendar/methods/import.rs

@@ -26,7 +26,10 @@ pub async fn route_import<C: CalendarStore, S: SubscriptionStore>(
     }
 
     let parser = ical::IcalParser::from_slice(body.as_bytes());
-    let mut cal = parser.expect_one()?.mutable();
+    let mut cal = match parser.expect_one() {
+        Ok(cal) => cal.mutable(),
+        Err(err) => return Ok((StatusCode::BAD_REQUEST, err.to_string()).into_response()),
+    };
 
     // Extract calendar metadata
     let displayname = cal
@@ -67,7 +70,10 @@ pub async fn route_import<C: CalendarStore, S: SubscriptionStore>(
         cal_components.push(CalendarObjectType::Todo);
     }
 
-    let objects = cal.into_objects()?.into_iter().map(Into::into).collect();
+    let objects = match cal.into_objects() {
+        Ok(objects) => objects.into_iter().map(Into::into).collect(),
+        Err(err) => return Ok((StatusCode::BAD_REQUEST, err.to_string()).into_response()),
+    };
     let new_cal = Calendar {
         principal,
         id: cal_id,

crates/caldav/src/error.rs

@@ -52,9 +52,6 @@ pub enum Error {
     #[error(transparent)]
     XmlDecodeError(#[from] rustical_xml::XmlError),
 
-    #[error(transparent)]
-    IcalError(#[from] rustical_ical::Error),
-
     #[error(transparent)]
     PreconditionFailed(Precondition),
 }
@@ -75,8 +72,6 @@ impl Error {
             Self::XmlDecodeError(_) => StatusCode::BAD_REQUEST,
             Self::ChronoParseError(_) | Self::NotImplemented => StatusCode::INTERNAL_SERVER_ERROR,
             Self::NotFound => StatusCode::NOT_FOUND,
-            // TODO: Can also be Bad Request, if it's used input
-            Self::IcalError(_err) => StatusCode::INTERNAL_SERVER_ERROR,
             Self::PreconditionFailed(_err) => StatusCode::PRECONDITION_FAILED,
         }
     }

crates/carddav/src/address_object/methods.rs

@@ -103,7 +103,10 @@ pub async fn put_object<AS: AddressbookStore>(
         true
     };
 
-    let object = AddressObject::from_vcf(body)?;
+    let object = match AddressObject::from_vcf(body) {
+        Ok(object) => object,
+        Err(err) => return Ok((StatusCode::BAD_REQUEST, err.to_string()).into_response()),
+    };
     let etag = object.get_etag();
     addr_store
         .put_object(&principal, &addressbook_id, &object_id, object, overwrite)

crates/carddav/src/error.rs

@@ -23,9 +23,6 @@ pub enum Error {
 
     #[error(transparent)]
     XmlDecodeError(#[from] rustical_xml::XmlError),
-
-    #[error(transparent)]
-    IcalError(#[from] rustical_ical::Error),
 }
 
 impl Error {
@@ -43,8 +40,6 @@ impl Error {
             Self::XmlDecodeError(_) => StatusCode::BAD_REQUEST,
             Self::ChronoParseError(_) | Self::NotImplemented => StatusCode::INTERNAL_SERVER_ERROR,
             Self::NotFound => StatusCode::NOT_FOUND,
-            // TODO: Can also be Bad Request, if it's used input
-            Self::IcalError(_err) => StatusCode::INTERNAL_SERVER_ERROR,
         }
     }
 }

crates/dav/src/resource/methods/copy.rs

@@ -6,12 +6,15 @@ use axum::{
     extract::{MatchedPath, Path, State},
     response::{IntoResponse, Response},
 };
+use axum_extra::TypedHeader;
+use headers::Host;
 use http::{HeaderMap, StatusCode, Uri};
 use matchit_serde::ParamsDeserializer;
 use serde::Deserialize;
 use tracing::instrument;
 
 #[instrument(skip(path, resource_service,))]
+#[allow(clippy::too_many_arguments)]
 pub async fn axum_route_copy<R: ResourceService>(
     Path(path): Path<R::PathComponents>,
     State(resource_service): State<R>,
@@ -20,6 +23,7 @@ pub async fn axum_route_copy<R: ResourceService>(
     Overwrite(overwrite): Overwrite,
     matched_path: MatchedPath,
     header_map: HeaderMap,
+    TypedHeader(host): TypedHeader<Host>,
 ) -> Result<Response, R::Error> {
     let destination = header_map
         .get("Destination")
@@ -27,7 +31,11 @@ pub async fn axum_route_copy<R: ResourceService>(
         .to_str()
         .map_err(|_| crate::Error::Forbidden)?;
     let destination_uri: Uri = destination.parse().map_err(|_| crate::Error::Forbidden)?;
-    // TODO: Check that host also matches
+    if let Some(authority) = destination_uri.authority()
+        && host != authority.clone().into()
+    {
+        return Err(crate::Error::Forbidden.into());
+    }
     let destination = destination_uri.path();
 
     let mut router = matchit::Router::new();

crates/dav/src/resource/methods/mv.rs

@@ -6,12 +6,15 @@ use axum::{
     extract::{MatchedPath, Path, State},
     response::{IntoResponse, Response},
 };
+use axum_extra::TypedHeader;
+use headers::Host;
 use http::{HeaderMap, StatusCode, Uri};
 use matchit_serde::ParamsDeserializer;
 use serde::Deserialize;
 use tracing::instrument;
 
 #[instrument(skip(path, resource_service,))]
+#[allow(clippy::too_many_arguments)]
 pub async fn axum_route_move<R: ResourceService>(
     Path(path): Path<R::PathComponents>,
     State(resource_service): State<R>,
@@ -20,6 +23,7 @@ pub async fn axum_route_move<R: ResourceService>(
     Overwrite(overwrite): Overwrite,
     matched_path: MatchedPath,
     header_map: HeaderMap,
+    TypedHeader(host): TypedHeader<Host>,
 ) -> Result<Response, R::Error> {
     let destination = header_map
         .get("Destination")
@@ -27,7 +31,11 @@ pub async fn axum_route_move<R: ResourceService>(
         .to_str()
         .map_err(|_| crate::Error::Forbidden)?;
     let destination_uri: Uri = destination.parse().map_err(|_| crate::Error::Forbidden)?;
-    // TODO: Check that host also matches
+    if let Some(authority) = destination_uri.authority()
+        && host != authority.clone().into()
+    {
+        return Err(crate::Error::Forbidden.into());
+    }
     let destination = destination_uri.path();
 
     let mut router = matchit::Router::new();