FW: OT Bypassing WebDAV LOCK mechanism (was RFC2518 issue...)

Resending as the list didn't send me (or a colleague) a copy so not sure if
it got through.
Apologies if you've seen this.

Shaun Hall
Xerox Europe


> -----Original Message-----
> From: Hall, Shaun 
> Sent: 02 August 2001 15:36
> To: 'Alan Kent'; w3c-dist-auth@w3.org
> Subject: RE: OT Bypassing WebDAV LOCK mechanism (was RFC2518 issue...)
> 
> 
> Again, not bashing the vendors/implementors as these are 
> observations and its all IMHO ...
> 
> > -----Original Message-----
> > From: Alan Kent [mailto:ajk@mds.rmit.edu.au]
> > Sent: 02 August 2001 01:14
> > To: w3c-dist-auth@w3.org
> > Subject: Re: rfc2518 issue: DEFER_LOCK_NULL_RESOURCES_IN_SPEC
> > 
> > I would be interested in other implementors feeling on this one.
> > Its certainly not true for our system. Its certainly not true
> > for Oracle iFS. I am pretty sure its not true for Apache mod_dav
> > (its not unreasonable for web site administrators to go to the file
> > system directly). I suspect the same holds for IIS.
> 
> FYI:
> 
> Greg/Keith (or whoever wrote it) sums it up nicely. Take a 
> look at the "Caveats" for mod_dav at 
> http://www.webdav.org/mod_dav/win32/, > specifically the 3rd 
> bullet. Off the top of my head, I don't know if this applies 
> to the Unix version as well. I haven't tested either platform 
> in this destructive manner. Maybe Greg can shed more light on 
> the matter.
> 
> As a side note, I did a quick test with IIS on Windows 2000. 
> Sure enough, when you LOCK an existing file (can't lock 
> folders) or create an LNR, the file (including LNR as they 
> are implemented as files) cannot be deleted say via the cmd 
> line ("In use by another process" kinda msg). Looks good so 
> far. However, using a utility (SysInternals Process Explorer 
> at http://www.sysinternals.com/ntw2k/freeware/procexp.shtml), 
> I could close the handle to the locked file (whilst it was 
> still locked by IIS) and then delete the file via the cmd 
> line. I haven't investigated how Process Viewer actually 
> closes the handle (maybe a call with Win32 CloseHandle()) or 
> what permissions are needed (I did it all with Admin rights).
> 
> See how easy it was for me to circumvent the *entire* WebDAV 
> LOCK mechanism (for LNR and "normal" resources) ?
> 
> Okay this is getting a little off topic, but you get my point.
> 
> > 
> > 
> > I have probably said enough on this topic.
> 
> Me too :-)
> 
> > 
> > Alan
> > 
> 
> Regards
> 
> Shaun Hall
> Xerox Europe
> 

Received on Monday, 6 August 2001 04:47:05 UTC