- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Thu, 30 Nov 2006 17:57:27 +0100
- To: Kevin Wiggen <kwiggen@xythos.com>
- CC: Wilfredo Sánchez Vega <wsanchez@wsanchez.net>, WebDav WG <w3c-dist-auth@w3.org>, acl@webdav.org
Kevin Wiggen schrieb: > FYI -- Xythos would consider it a security hole if a webdav client can do a directory listing and view files names that people do NOT have read access to. I hate when my boss has that file called FIRE-KEVIN.doc in his directory. > > This is NOT how other servers view this (for instance SAP), but I would believe it is up to the server how "secure" they want to be. Yes they can find out if they try to WRITE to a file location that has a pre-named file, however there might be other reasons the user cannot write to that location. > > Kevin Kevin, yes I totally agree that it's the server's choice to decide that. I wasn't trying to advocate one specific approach. Basically, if the server exposes the names of children that the user doesn't have access to, security works in a different way. For instance, users will have to move resources they don't want to be visible into a specific folder, and deny read access to that folder as well. Best regards, Julian
Received on Thursday, 30 November 2006 16:57:37 UTC