Webdav ALWAYS requires token setup and requires parsing `$` inside default URL

[Mayurifag]

Initial Checklist

• I understand this is a bug report and questions should be posted in the Community Discussions
• I searched issues and couldn’t find anything (or linked relevant results below)

Bug Description

1. Webdav explicetely requires to use app token for password. That is not stated anywhere, that user's password does not work (mine is from LDAP)

2. A lot of software seem to not be ready to use URL provided by Opencloud as they dont expect there might be $ symbol inside URL or something. So people might be not use webdav even though its actually working, but requires bug reports for app developers.

I thought it is good idea for Personal space actually provide another URL for files, because short alternative URL works and does not contain '$' symbol. Compare:

• too long, '$' symbol

https://cloud.example.com/remote.php/dav/spaces/1e4f0e03-1c95-48f3-9dda-2f55e2feee87$aafa6733-2dff-4b1f-bff4-df6c981c6a5e/

• shorter, no '$' symbol, doesnt require any hussle and ALREADY WORKS

https://cloud.example.com/remote.php/dav/files/mayurifag/

Reproduction Steps

1. For wrong user password, first one is token, second one is user pass:

curl -u "mayurifag:some token pass landed latch basis" -X PROPFIND 'https://cloud.example.com/remote.php/dav/spaces/1e4f0e03-1c95-48f3-9dda-2f55e2feee87$aafa6733-2dff-4b1f-bff4-df6c981c6a5e/' -H "Depth: 0"

<d:multistatus xmlns:s="http://sabredav.org/ns" xmlns:d="DAV:" xmlns:oc="http://owncloud.org/ns"><d:response><d:href>/remote.php/dav/spaces/1e4f0e03-1c95-48f3-9dda-2f55e2feee87$aafa6733-2dff-4b1f-bff4-df6c981c6a5e/</d:href><d:propstat><d:prop><oc:id>1e4f0e03-1c95-48f3-9dda-2f55e2feee87$aafa6733-2dff-4b1f-bff4-df6c981c6a5e!aafa6733-2dff-4b1f-bff4-df6c981c6a5e</oc:id><oc:fileid>1e4f0e03-1c95-48f3-9dda-2f55e2feee87$aafa6733-2dff-4b1f-bff4-df6c981c6a5e!aafa6733-2dff-4b1f-bff4-df6c981c6a5e</oc:fileid><oc:spaceid>1e4f0e03-1c95-48f3-9dda-2f55e2feee87$aafa6733-2dff-4b1f-bff4-df6c981c6a5e</oc:spaceid><oc:file-parent>1e4f0e03-1c95-48f3-9dda-2f55e2feee87$aafa6733-2dff-4b1f-bff4-df6c981c6a5e</oc:file-parent><oc:name>mayurifag</oc:name><d:displayname>mayurifag</d:displayname><d:getetag>"b364df165d91287c0d8cee525833564d"</d:getetag><oc:permissions>RDNVCKZP</oc:permissions><d:resourcetype><d:collection/></d:resourcetype><oc:size>13390214566</oc:size><d:getlastmodified>Mon, 29 Dec 2025 18:31:56 GMT</d:getlastmodified><oc:tags></oc:tags><oc:favorite>0</oc:favorite></d:prop><d:status>HTTP/1.1 200 OK</d:status></d:propstat><d:propstat><d:prop><oc:audio></oc:audio><oc:location></oc:location><oc:image></oc:image><oc:photo></oc:photo><oc:has-preview></oc:has-preview></d:prop><d:status>HTTP/1.1 404 Not Found</d:status></d:propstat></d:response></d:multistatus>%

---

curl -u "mayurifag:CORRECTUSERPASS" -X PROPFIND 'https://cloud.example.com/remote.php/dav/spaces/1e4f0e03-1c95-48f3-9dda-2f55e2feee87$aafa6733-2dff-4b1f-bff4-df6c981c6a5e/' -H "Depth: 0"

<?xml version="1.0" encoding="UTF-8"?>
<d:error xmlns:d="DAV" xmlns:s="http://sabredav.org/ns"><s:Exception>Sabre\DAV\Exception\PermissionDenied</s:Exception><s:Message>Authentication error</s:Message></d:error>%

2. Lets say we operate on zsh and we did not see the need to escape '$' symbol (only meaninful part is one command has url in backticks like 'url.com', other is not:

curl -u "mayurifag:pass" -X PROPFIND 'https://cloud.example.com/remote.php/dav/spaces/1e4f0e03-1c95-48f3-9dda-2f55e2feee87$aafa6733-2dff-4b1f-bff4-df6c981c6a5e/' -H "Depth: 0"

<d:multistatus xmlns:s="http://sabredav.org/ns" xmlns:d="DAV:" xmlns:oc="http://owncloud.org/ns"><d:response><d:href>/remote.php/dav/spaces/1e4f0e03-1c95-48f3-9dda-2f55e2feee87$aafa6733-2dff-4b1f-bff4-df6c981c6a5e/</d:href><d:propstat><d:prop><oc:id>1e4f0e03-1c95-48f3-9dda-2f55e2feee87$aafa6733-2dff-4b1f-bff4-df6c981c6a5e!aafa6733-2dff-4b1f-bff4-df6c981c6a5e</oc:id><oc:fileid>1e4f0e03-1c95-48f3-9dda-2f55e2feee87$aafa6733-2dff-4b1f-bff4-df6c981c6a5e!aafa6733-2dff-4b1f-bff4-df6c981c6a5e</oc:fileid><oc:spaceid>1e4f0e03-1c95-48f3-9dda-2f55e2feee87$aafa6733-2dff-4b1f-bff4-df6c981c6a5e</oc:spaceid><oc:file-parent>1e4f0e03-1c95-48f3-9dda-2f55e2feee87$aafa6733-2dff-4b1f-bff4-df6c981c6a5e</oc:file-parent><oc:name>mayurifag</oc:name><d:displayname>mayurifag</d:displayname><d:getetag>"b364df165d91287c0d8cee525833564d"</d:getetag><oc:permissions>RDNVCKZP</oc:permissions><d:resourcetype><d:collection/></d:resourcetype><oc:size>13390214566</oc:size><d:getlastmodified>Mon, 29 Dec 2025 18:31:56 GMT</d:getlastmodified><oc:tags></oc:tags><oc:favorite>0</oc:favorite></d:prop><d:status>HTTP/1.1 200 OK</d:status></d:propstat><d:propstat><d:prop><oc:audio></oc:audio><oc:location></oc:location><oc:image></oc:image><oc:photo></oc:photo><oc:has-preview></oc:has-preview></d:prop><d:status>HTTP/1.1 404 Not Found</d:status></d:propstat></d:response></d:multistatus>%

---

curl -u "mayurifag:pass" -X PROPFIND https://cloud.example.com/remote.php/dav/spaces/1e4f0e03-1c95-48f3-9dda-2f55e2feee87$aafa6733-2dff-4b1f-bff4-df6c981c6a5e/ -H "Depth: 0"

<?xml version="1.0" encoding="UTF-8"?>
<d:error xmlns:d="DAV" xmlns:s="http://sabredav.org/ns"><s:exception>Sabre\DAV\Exception\NotFound</s:exception><s:message>Resource not found</s:message><s:errorcode></s:errorcode></d:error>%

Expected Outcome

1. User password might be used in webdav. Test on something complex, i.e. v7':bL':nW[,-$U[nZJ^>(\WY][k@T9L{th$PZ.W9_p$Ly5(o%t$sNxbDuN,
2. For personal space the shorter link might be provided to have less errors. Also notify about "$" symbol.

Actual Outcome

1. User password can't be used to use webdav and app token is required
2. Webdav URL is given without any notifying of nuances