- From: Dylan Barrell <dbarrell@opentext.com>
- Date: Thu, 6 Jul 2000 11:15:08 -0400
- To: "Clemm, Geoff" <gclemm@rational.com>, <w3c-dist-auth@w3.org>
I agree - Having only 0, 1 and infinity is restrictive and infinity can be a real problem on large sites. > -----Original Message----- > From: w3c-dist-auth-request@w3.org > [mailto:w3c-dist-auth-request@w3.org]On Behalf Of Clemm, Geoff > Sent: Thursday, July 06, 2000 10:29 AM > To: w3c-dist-auth@w3.org > Subject: RE: [hwarncke@Adobe.COM: Re: [dav-dev] Depth Infinity Requests] > > > I think we should disallow Depth:infinity on a PROPFIND, and require that > the client pass in some maximum depth to let the server know when it > should stop. > > Cheers, > Geoff > > -----Original Message----- > From: Greg Stein [mailto:gstein@lyra.org] > Sent: Thursday, July 06, 2000 10:15 AM > To: w3c-dist-auth@w3.org > Subject: [hwarncke@Adobe.COM: Re: [dav-dev] Depth Infinity Requests] > > > What is the general consensus on PROPFIND with Depth: infinity? I quoted a > couple messages below that tend to favor disallowing them. I got that > impression from some other comments on this list, but couldn't > find specific > references. > > For clarity: can prople give opinions on simply disabling > PROPFIND infinity? > > JimW: we should probably note (explicitly) in the spec that a server may > return a 403 (Forbidden) if a client requests a PROPFIND with a Depth of > infinity. > > [ I believe everybody is probably okay with returning a 403 (Forbidden) in > certain cases. My question is more along the lines of outright > shutting it > off before beginning to walk the repository to see what is up. ] > > Cheers, > -g > > > ----- Forwarded message from Hartmut Warncke <hwarncke@Adobe.COM> ----- > > Date: Wed, 05 Jul 2000 13:55:39 +0200 > From: Hartmut Warncke <hwarncke@Adobe.COM> > Reply-To: Hartmut.Warncke@Adobe.COM > To: Greg Stein <gstein@lyra.org> > CC: Mod_dav Mailing List <dav-dev@lyra.org> > Subject: Re: [dav-dev] Depth Infinity Requests > > > > > I am having a hard time locating the specific discussions (I > believe there > > have been a couple) in the archives regarding PROPFIND infinity > requests. > I > > have found two references so far: > > > > http://lists.w3.org/Archives/Public/w3c-dist-auth/1999AprJun/0062.html > http://lists.w3.org/Archives/Public/w3c-dist-auth/1999AprJun/0071.html > > Take a look at the end of each of these notes. > At the end of the second note I found a statement of Jim Whitehead: "As a result, a conservative client should never perform a PROPFIND, depth infinity unless it knows the namespace it is issuing the PROPFIND against, and a server should be free to refuse to process a PROPFIND, depth infinity if it would result in too large a response (since this could easily be used to implement a denial of service attack). Both of these approaches are allowed by the specification." I do not understand the last sentence because I did not find anything about that issue in RFC 2518 (Did I miss something?). I think the information that a server can refuse a depth infinity request is a very important information which should be included in RFC2518?! Hartmut ----- End forwarded message ----- -- Greg Stein, http://www.lyra.org/
Received on Thursday, 6 July 2000 11:17:04 UTC