W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2016

Re: COPY: "Duplicate" functionality

From: Daurnimator <quae@daurnimator.com>
Date: Fri, 9 Dec 2016 15:16:17 +1100
Message-ID: <CAEnbY+cx4S2OmnnOAG2PgfALYqA2P7Pyuy0cyrTd_ftgNEeFtg@mail.gmail.com>
To: ChanMaxthon <xcvista@me.com>
Cc: Julian Reschke <julian.reschke@gmx.de>, Graham Leggett <minfrin@sharp.fm>, HTTP Working Group <ietf-http-wg@w3.org>
On 1 November 2016 at 16:18, ChanMaxthon <xcvista@me.com> wrote:
> I think you can generate a name, HEAD it, and then COPY it if you get a 404.

That's a latent TOCTOU vulnerability.

Instead, specify "Overwrite: F" and do the copy with a suffix of your
choosing e.g " (1)".
If you get a 412 in response then increment and try with e.g. a suffix of " (2)"

Alternatively, you could generate a unique path (e.g. a UUID) and use that.
Received on Friday, 9 December 2016 04:16:52 UTC

This archive was generated by hypermail 2.3.1 : Friday, 9 December 2016 04:16:55 UTC