Re: [hwarncke@Adobe.COM: Re: [dav-dev] Depth Infinity Requests] from Tim Ellison/OTT/OTI on 2000-07-06 (w3c-dist-auth@w3.org from July to September 2000)

From: Tim Ellison/OTT/OTI <Tim_Ellison@oti.com>
Date: Thu, 6 Jul 2000 12:28:50 -0400
To: w3c-dist-auth@w3.org
Message-ID: <OF78C24E4E.C855F55E-ON85256914.005A806F@ott.oti.com>

The server should be free to refuse depth requests (>1<g>) that it decides 
are too expensive.  Of course, that does not preclude the spec from 
allowing the header value to be 0 .. n or infinity, but it does further 
complicate the client that has to deal with refusals and 'do the work'.
If maintaining a simple client is required, I would vote for dropping 
depth infinity (and keeping only 0 and 1).

Tim





Greg Stein <gstein@lyra.org>
Sent by: w3c-dist-auth-request@w3.org
06-07-00 10:15 AM

 
        To:     w3c-dist-auth@w3.org
        cc: 
        Subject:        [hwarncke@Adobe.COM: Re: [dav-dev] Depth Infinity Requests]

What is the general consensus on PROPFIND with Depth: infinity? I quoted a
couple messages below that tend to favor disallowing them. I got that
impression from some other comments on this list, but couldn't find 
specific
references.

For clarity: can prople give opinions on simply disabling PROPFIND 
infinity?

JimW: we should probably note (explicitly) in the spec that a server may
return a 403 (Forbidden) if a client requests a PROPFIND with a Depth of
infinity.

[ I believe everybody is probably okay with returning a 403 (Forbidden) in
  certain cases. My question is more along the lines of outright shutting 
it
  off before beginning to walk the repository to see what is up. ]

Cheers,
-g


----- Forwarded message from Hartmut Warncke <hwarncke@Adobe.COM> -----

Date: Wed, 05 Jul 2000 13:55:39 +0200
From: Hartmut Warncke <hwarncke@Adobe.COM>
Reply-To: Hartmut.Warncke@Adobe.COM
To: Greg Stein <gstein@lyra.org>
CC: Mod_dav Mailing List <dav-dev@lyra.org>
Subject: Re: [dav-dev] Depth Infinity Requests



> I am having a hard time locating the specific discussions (I believe 
there
> have been a couple) in the archives regarding PROPFIND infinity 
requests. I
> have found two references so far:
>
>     http://lists.w3.org/Archives/Public/w3c-dist-auth/1999AprJun/0062.html
>     http://lists.w3.org/Archives/Public/w3c-dist-auth/1999AprJun/0071.html
>
> Take a look at the end of each of these notes.
>

At the end of the second note I found a statement of Jim Whitehead:

"As a result, a conservative client should never perform a PROPFIND, depth
infinity unless it knows the namespace it is issuing the PROPFIND against,
and a server should be free to refuse to process a PROPFIND, depth 
infinity
if it would result in too large a response (since this could easily be 
used
to implement a denial of service attack). Both of these approaches are
allowed by the specification."

I do not understand the last sentence because I did not find anything 
about
that issue in RFC 2518 (Did I miss something?). I think the information 
that a
server
can refuse a depth infinity request is a very important information which 
should

be included in RFC2518?!

Hartmut



----- End forwarded message -----

-- 
Greg Stein, http://www.lyra.org/

Received on Thursday, 6 July 2000 12:32:37 UTC