W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > October to December 2005


From: <bugzilla@soe.ucsc.edu>
Date: Thu, 13 Oct 2005 08:54:08 -0700
Message-Id: <200510131554.j9DFs8gZ008392@ietf.cse.ucsc.edu>
To: w3c-dist-auth@w3.org


           Summary: PROPFIND_INFINITY
           Product: WebDAV-RFC2518-bis
           Version: -07
          Platform: Other
        OS/Version: other
            Status: NEW
          Severity: normal
          Priority: P2
         Component: 19.  Security Considerations
        AssignedTo: joe-bugzilla@cursive.net
        ReportedBy: elias@cse.ucsc.edu
         QAContact: w3c-dist-auth@w3.org

If a client quickly submits multiple PROPFIND, Depth: infinity requests to the
top of a collection tree containing many resources, it effectively forms a
denial of service (DoS) attack. Though this is noted at a high level in Section
17.2 in Security Considerations, the specific risks of a large PROPFIND should
be noted there. Additionally, the specification should note whether a server is
allowed to have a configuration option to disable Depth: inifinity PROPFINDs. It
has been recommended that 403 (Forbidden) be returned if a server does not
support Depth: infinity PROPFIND. Integer values other than 0 and 1 in PROPFIND
requests were also proposed.

Raised by Hartmut Warncke, Greg Stein:

See also Jim Davis' analysis of options at:

------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.
Received on Thursday, 13 October 2005 15:54:39 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 15:01:33 UTC