[Bug 134] New: PROPFIND_INFINITY from bugzilla@soe.ucsc.edu on 2005-10-13 (w3c-dist-auth@w3.org from October to December 2005)

From: <bugzilla@soe.ucsc.edu>
Date: Thu, 13 Oct 2005 08:54:08 -0700
To: w3c-dist-auth@w3.org
Message-Id: <200510131554.j9DFs8gZ008392@ietf.cse.ucsc.edu>

http://ietf.cse.ucsc.edu:8080/bugzilla/show_bug.cgi?id=134

           Summary: PROPFIND_INFINITY
           Product: WebDAV-RFC2518-bis
           Version: -07
          Platform: Other
        OS/Version: other
            Status: NEW
          Severity: normal
          Priority: P2
         Component: 19.  Security Considerations
        AssignedTo: joe-bugzilla@cursive.net
        ReportedBy: elias@cse.ucsc.edu
         QAContact: w3c-dist-auth@w3.org


If a client quickly submits multiple PROPFIND, Depth: infinity requests to the
top of a collection tree containing many resources, it effectively forms a
denial of service (DoS) attack. Though this is noted at a high level in Section
17.2 in Security Considerations, the specific risks of a large PROPFIND should
be noted there. Additionally, the specification should note whether a server is
allowed to have a configuration option to disable Depth: inifinity PROPFINDs. It
has been recommended that 403 (Forbidden) be returned if a server does not
support Depth: infinity PROPFIND. Integer values other than 0 and 1 in PROPFIND
requests were also proposed.

Raised by Hartmut Warncke, Greg Stein:
http://dav.lyra.org/pipermail/dav-dev/2000-July/001320.html
http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JulSep/0005.html

See also Jim Davis' analysis of options at:
http://lists.w3.org/Archives/Public/w3c-dist-auth/2000JulSep/0025.html



------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.

Received on Thursday, 13 October 2005 15:54:39 UTC