W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > July to September 2001

RE: OT Bypassing WebDAV LOCK mechanism (was RFC2518 issue...)

From: Hall, Shaun <Shaun.Hall@GBR.XEROX.COM>
Date: Thu, 2 Aug 2001 15:36:14 +0100
Message-ID: <59697CCC6CE3D411B4CD00805FBB7767287601@gbrwgcms03.wgc.gbr.xerox.com>
To: "'Alan Kent'" <ajk@mds.rmit.edu.au>, w3c-dist-auth@w3.org
Again, not bashing the vendors/implementors as these are observations and
its all IMHO ...

> -----Original Message-----
> From: Alan Kent [mailto:ajk@mds.rmit.edu.au]
> Sent: 02 August 2001 01:14
> To: w3c-dist-auth@w3.org
> Subject: Re: rfc2518 issue: DEFER_LOCK_NULL_RESOURCES_IN_SPEC
> 
> I would be interested in other implementors feeling on this one.
> Its certainly not true for our system. Its certainly not true
> for Oracle iFS. I am pretty sure its not true for Apache mod_dav
> (its not unreasonable for web site administrators to go to the file
> system directly). I suspect the same holds for IIS.

FYI:

Greg/Keith (or whoever wrote it) sums it up nicely. Take a look at the
"Caveats" for mod_dav at http://www.webdav.org/mod_dav/win32/, specifically
the 3rd bullet. Off the top of my head, I don't know if this applies to the
Unix version as well. I haven't tested either platform in this destructive
manner. Maybe Greg can shed more light on the matter.

As a side note, I did a quick test with IIS on Windows 2000. Sure enough,
when you LOCK an existing file (can't lock folders) or create an LNR, the
file (including LNR as they are implemented as files) cannot be deleted say
via the cmd line ("In use by another process" kinda msg). Looks good so far.
However, using a utility (SysInternals Process Explorer at
http://www.sysinternals.com/ntw2k/freeware/procexp.shtml), I could close the
handle to the locked file (whilst it was still locked by IIS) and then
delete the file via the cmd line. I haven't investigated how Process Viewer
actually closes the handle (maybe a call with Win32 CloseHandle()) or what
permissions are needed (I did it all with Admin rights).

See how easy it was for me to circumvent the *entire* WebDAV LOCK mechanism
(for LNR and "normal" resources) ?

Okay this is getting a little off topic, but you get my point.

> 
> 
> I have probably said enough on this topic.

Me too :-)

> 
> Alan
> 

Regards

Shaun Hall
Xerox Europe
Received on Thursday, 2 August 2001 10:40:24 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:43:56 GMT