- From: Clemm, Geoff <gclemm@Rational.Com>
- Date: Wed, 15 Mar 2000 18:01:32 -0500
- To: w3c-dist-auth@w3.org
I'm probably not as concerned by the denial of service attack as I am that the client will be burdened with large numbers of duplicates when they try a PROPFIND in this case. Perhaps instead of (in addition to?) "Loop Detected", we could have a "Duplicate Detected" status, which would provide a way for a server to say that this resource has already appeared in the PROPFIND. If we returned all properties with duplicates, this would still result in much redundancy in the PROPFIND result. I guess I'd like to modify my earlier response to say we *only* return the DAV:urn property in the case of duplicates. As a final thought, shouldn't "Duplicate Detected" be a 2xx status, since it is not an error, but rather just an abbreviation? Cheers, Geoff -----Original Message----- From: Tim Ellison/OTT/OTI [mailto:Tim_Ellison@oti.com] Sent: Wednesday, March 15, 2000 3:34 PM To: w3c-dist-auth@w3.org Subject: Loops II An observation: Although infinite loops are broken using Loop Detected rules, since all (non-circular) paths are returned by deep operations it is trivial to construct an n**m walks graph by having n levels with m bindings between each. This would be a prime candidate for denial of service type attacks against a server. Tim
Received on Wednesday, 15 March 2000 18:02:16 UTC