httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 40217] - mod_dav PROPFIND ignores access restrictions on items in a collection
Date Thu, 10 Aug 2006 14:39:06 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40217>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=40217





------- Additional Comments From jorton@redhat.com  2006-08-10 14:39 -------
[collision with joshua]

I completely agree with Ruediger that the correct behaviour should be to reveal
the existence/non-existence of a resource by name in mod_dav.

mod_dav does not however apply any access control checks during a PROPFIND walk,
which is certainly a bug: you can do a Depth: infinity walk straight through
protected areas, and discover properties of protected resources in a Depth: 1
even if infinity is disabled.  Fixing this was somewhat more complicated that
just adding a subreq call in the walker because of the error handling IIRC from
working on this for mod_dav 1.0.

Returning simply a name in a 200 propstat for protected resources is probably
correct; not sure how DAV clients will react to such resources though.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message