W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > July to September 2000

RE: [hwarncke@Adobe.COM: Re: [dav-dev] Depth Infinity Requests]

From: Dylan Barrell <dbarrell@opentext.com>
Date: Thu, 6 Jul 2000 11:15:08 -0400
To: "Clemm, Geoff" <gclemm@rational.com>, <w3c-dist-auth@w3.org>
Message-ID: <NEBBIBDBCLDPAGPIKGMCEEOICLAA.dbarrell@opentext.com>
I agree - Having only 0, 1 and infinity is restrictive and infinity can be a
real problem on large sites.

> -----Original Message-----
> From: w3c-dist-auth-request@w3.org
> [mailto:w3c-dist-auth-request@w3.org]On Behalf Of Clemm, Geoff
> Sent: Thursday, July 06, 2000 10:29 AM
> To: w3c-dist-auth@w3.org
> Subject: RE: [hwarncke@Adobe.COM: Re: [dav-dev] Depth Infinity Requests]
>
>
> I think we should disallow Depth:infinity on a PROPFIND, and require that
> the client pass in some maximum depth to let the server know when it
> should stop.
>
> Cheers,
> Geoff
>
> -----Original Message-----
> From: Greg Stein [mailto:gstein@lyra.org]
> Sent: Thursday, July 06, 2000 10:15 AM
> To: w3c-dist-auth@w3.org
> Subject: [hwarncke@Adobe.COM: Re: [dav-dev] Depth Infinity Requests]
>
>
> What is the general consensus on PROPFIND with Depth: infinity? I quoted a
> couple messages below that tend to favor disallowing them. I got that
> impression from some other comments on this list, but couldn't
> find specific
> references.
>
> For clarity: can prople give opinions on simply disabling
> PROPFIND infinity?
>
> JimW: we should probably note (explicitly) in the spec that a server may
> return a 403 (Forbidden) if a client requests a PROPFIND with a Depth of
> infinity.
>
> [ I believe everybody is probably okay with returning a 403 (Forbidden) in
>   certain cases. My question is more along the lines of outright
> shutting it
>   off before beginning to walk the repository to see what is up. ]
>
> Cheers,
> -g
>
>
> ----- Forwarded message from Hartmut Warncke <hwarncke@Adobe.COM> -----
>
> Date: Wed, 05 Jul 2000 13:55:39 +0200
> From: Hartmut Warncke <hwarncke@Adobe.COM>
> Reply-To: Hartmut.Warncke@Adobe.COM
> To: Greg Stein <gstein@lyra.org>
> CC: Mod_dav Mailing List <dav-dev@lyra.org>
> Subject: Re: [dav-dev] Depth Infinity Requests
>
>
>
> > I am having a hard time locating the specific discussions (I
> believe there
> > have been a couple) in the archives regarding PROPFIND infinity
> requests.
> I
> > have found two references so far:
> >
> >
http://lists.w3.org/Archives/Public/w3c-dist-auth/1999AprJun/0062.html
>     http://lists.w3.org/Archives/Public/w3c-dist-auth/1999AprJun/0071.html
>
> Take a look at the end of each of these notes.
>

At the end of the second note I found a statement of Jim Whitehead:

"As a result, a conservative client should never perform a PROPFIND, depth
infinity unless it knows the namespace it is issuing the PROPFIND against,
and a server should be free to refuse to process a PROPFIND, depth infinity
if it would result in too large a response (since this could easily be used
to implement a denial of service attack). Both of these approaches are
allowed by the specification."

I do not understand the last sentence because I did not find anything about
that issue in RFC 2518 (Did I miss something?). I think the information that
a
server
can refuse a depth infinity request is a very important information which
should

be included in RFC2518?!

Hartmut



----- End forwarded message -----

--
Greg Stein, http://www.lyra.org/
Received on Thursday, 6 July 2000 11:17:04 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:43:54 GMT