W3C home > Mailing lists > Public > www-webdav-dasl@w3.org > July to September 2008

Re: Security considerations, was Re: Area Director feedback on draft-reschke-webdav-search-15 re supported query complexity

From: Julian Reschke <julian.reschke@gmx.de>
Date: Wed, 02 Jul 2008 17:29:24 +0200
Message-ID: <486B9ED4.3070003@gmx.de>
To: Javier Godoy <rjgodoy@fich.unl.edu.ar>
CC: Jim Davis <jrd3@alum.mit.edu>, www-webdav-dasl@w3.org

Javier Godoy wrote:
> ...
> [[
>   A query must not allow one to retrieve information about values or
>   existence of properties that one could not obtain via PROPFIND. (e.g.
>   by use in DAV:orderby, or in expressions on properties.)
> ]]
> 
> IMHO this should be an uppercase MUST NOT, in order to emphasize that 
> SEARCH
> must comply with the Access Control Protocol (RFC 3744).
> (At least, the DAV:read privilege must be honored, as well as DAV:read-acl
> and DAV:read-current-user-privilege-set if DAV:acl is
> searchable/selectable/sortable.)
> ...

In the meantime, this says:

    A query MUST NOT allow clients to retrieve information that wouldn't
    have been available through the GET or PROPFIND methods in the first
    place.  In particular:

    o  Query constraints on WebDAV properties for which the client does
       not have read access need to be evaluated as if the property did
       not exist (see Section 5.5.3).

    o  Query constraints on content (as with DAV:contains, defined in
       Section 5.16) for which the client does not have read access need
       to be evaluated as if a GET would return a 4xx status code.

I'm not too enthusiastic to add more RFC3744 related language; after 
all, some of the SEARCH implementations do not support RFC3744 anyway, 
so it seems to be a better approach to describe this in terms of whether 
the client is able to GET the content/PROPFIND a property (thus talk 
about status codes, not RFC3744 privileges).

BR, Julian
Received on Wednesday, 2 July 2008 15:30:15 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 22 March 2009 03:38:10 GMT