W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > July to September 2000

RE: [hwarncke@Adobe.COM: Re: [dav-dev] Depth Infinity Requests]

From: Jim Whitehead <ejw@ics.uci.edu>
Date: Fri, 7 Jul 2000 08:43:13 -0700
To: WebDAV WG <w3c-dist-auth@w3.org>
Message-ID: <NDBBIKLAGLCOPGKGADOJEEIMDGAA.ejw@ics.uci.edu>
Accidentally caught by the spam filter. I have added Kevin's email to the
accept2 list for w3c-dist-auth, so his emails should not be bounced in the
future.

- Jim

-----Original Message-----
From: Kevin Dyer [mailto:kevin.dyer@matrixone.com]
Sent: Thursday, July 06, 2000 8:35 AM
To: Greg Stein; w3c-dist-auth@w3.org
Subject: [Moderator Action] RE: [hwarncke@Adobe.COM: Re: [dav-dev] Depth
Infinity Requests]




> -----Original Message-----
> From: w3c-dist-auth-request@w3.org
> [mailto:w3c-dist-auth-request@w3.org]On Behalf Of Greg Stein
> Sent: Thursday, July 06, 2000 10:15 AM
> To: w3c-dist-auth@w3.org
> Subject: [hwarncke@Adobe.COM: Re: [dav-dev] Depth Infinity Requests]
>
>
> What is the general consensus on PROPFIND with Depth: infinity? I quoted a
> couple messages below that tend to favor disallowing them. I got that
> impression from some other comments on this list, but couldn't
> find specific
> references.
>
> For clarity: can prople give opinions on simply disabling
> PROPFIND infinity?
>
> JimW: we should probably note (explicitly) in the spec that a server may
> return a 403 (Forbidden) if a client requests a PROPFIND with a Depth of
> infinity.
>

I'm in agreement with Jim.  We should not allow infinite depth requests at
all.  Depending at what level the request is started from and the complexity
of the PROP data, the request could place a significant resource strain on
the server.

A side benefit, of not allowing infinite depth requests, servers as a
security speedbump.  It forces an end application to make more requests to
retrieve the entire tree.  Which in turn should raise a flag with someone or
something watching the logs for unusual behavior.


				Just my 0.02 Galactic Credits,

					Kevin

____________________________________________

Kevin J. Dyer
Sr. Technologist, Product Management
kevin.dyer@matrixone.com

TEL:     978-322-2011
FAX:     978-441-0071
MOBILE:  978-314-9855

MatrixOne, Inc.
Two Executive Drive
Chelmsford, MA  01824  USA
www.matrixone.com

Leading Provider of Internet Business Collaboration Solutions
____________________________________________
Received on Friday, 7 July 2000 11:47:20 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:43:54 GMT