Internal server error on REPORT DAV:sync-collection with result limit

[rfc2822]

Steps to reproduce

1. Create an address book in Nextcloud and make sure it's available over CardDAV
2. Send a REPORT DAV:sync-collection request with a body like this:

<?xml version='1.0' encoding='UTF-8' ?>
<sync-collection xmlns="DAV:">
  <sync-token>http://sabre.io/ns/sync/5</sync-token>
  <sync-level>1</sync-level>
  <limit><nresults>100</nresults></limit>
  <prop><getetag /></prop>
</sync-collection>

Note the <limit><nresults>100</nresults></limit> part which requests max. 100 results.

3. Nextcloud returns this 500 Internal server error:

    <d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns">
      <s:exception>Doctrine\DBAL\Exception\SyntaxErrorException</s:exception>
      <s:message>An exception occurred while executing 'SELECT `uri`, `operation` FROM `oc_addressbookchanges` WHERE `synctoken` &gt;= ? AND `synctoken` &lt; ? AND `addressbookid` = ? ORDER BY `synctoken` `LIMIT` 100' with params ["5", "8", "6"]:
    
    SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '`LIMIT` 100' at line 1</s:message>
    </d:error>

Also, when requesting an initial sync (no sync-token) with limit nresults=100, the server sends all results without batching. Instead, it should send 507.

Expected behaviour

Nextcloud should return either up to 100 results, or, if this is not supported, HTTP 507 and an appropriate postcondition error code, see RFC 6578 3.12 Example: DAV:sync-collection Report with Unsupported Limit

Server configuration

Nextcloud version: 13.0.2

Signing status: No errors have been found.

Nextcloud configuration:

Config report

The process control (PCNTL) extensions are required in case you want to interrupt long running commands - see http://php.net/manual/en/book.pcntl.php
{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "nc.dev001.net"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "overwrite.cli.url": "https:\/\/nc.dev001.net",
        "dbtype": "mysql",
        "version": "13.0.2.1",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "maintenance": false,
        "trashbin_retention_obligation": "auto, 30",
        "theme": "",
        "loglevel": 2,
        "apps_paths": [
            {
                "path": "\/usr\/local\/www\/nextcloud\/apps",
                "url": "\/apps",
                "writable": true
            },
            {
                "path": "\/usr\/local\/www\/nextcloud\/apps-pkg",
                "url": "\/apps-pkg",
                "writable": false
            }
        ]
    }
}

Are you using encryption: no

[georgehrke]

   When truncation occurs, the DAV:sync-token value returned in the
   response MUST represent the correct state for the partial set of
   changes returned.  That allows the client to use the returned
   DAV:sync-token to fetch the next set of changes.  In this way, the
   client can effectively "page" through the entire set of changes in a
   consistent manner.

https://tools.ietf.org/html/rfc6578#section-3.6