W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > October to December 2006

Re: DAV:read privilege and browsing

From: Julian Reschke <julian.reschke@gmx.de>
Date: Thu, 30 Nov 2006 17:57:27 +0100
Message-ID: <456F0D77.7060706@gmx.de>
To: Kevin Wiggen <kwiggen@xythos.com>
CC: Wilfredo Sánchez Vega <wsanchez@wsanchez.net>, WebDav WG <w3c-dist-auth@w3.org>, acl@webdav.org

Kevin Wiggen schrieb:
> FYI -- Xythos would consider it a security hole if a webdav client can do a directory listing and view files names that people do NOT have read access to.  I hate when my boss has that file called FIRE-KEVIN.doc in his directory.
> 
> This is NOT how other servers view this (for instance SAP), but I would believe it is up to the server how "secure" they want to be.  Yes they can find out if they try to WRITE to a file location that has a pre-named file, however there might be other reasons the user cannot write to that location.
> 
> Kevin

Kevin,

yes I totally agree that it's the server's choice to decide that. I 
wasn't trying to advocate one specific approach.

Basically, if the server exposes the names of children that the user 
doesn't have access to, security works in a different way. For instance, 
users will have to move resources they don't want to be visible into a 
specific folder, and deny read access to that folder as well.

Best regards, Julian
Received on Thursday, 30 November 2006 16:57:37 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:44:15 GMT