Re: [Zope-dev] WebDAV quibble -- fix in 2.6?
Would it be sufficient to disallow the PROPFIND for non-authenticated users ? - aj - Original Message - From: "Barry Pederson" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, March 06, 2002 11:39 Subject: Re: [Zope-dev] WebDAV quibble -- fix in 2.6? > Casey Duncan wrote: > > This maybe more 2.6 (or even 2.5.1 final) fodder: > > > > I notice that in a vanilla Zope install, Anonymous users are allowed access > > through WebDAV. This is bad for two reasons: > > > > 1. From a security perspective this discloses way too much information about > > your site to the outside world. > > > > 2. Due to vagarities of WebDAV authentication, it makes it impossible to edit > > anything, because I guess the WebDAV implementation is too stupid to force a > > login when you try to lock something as anonymous (instead is returns a 500 > > server error). To get around this you have to create or copy an object to > > force a login. This problem disappears if everyone must login to access > > WebDAV at all. > > > > So the question is: Is there a good reason why WebDAV access is granted to > > anonymous by default? If not I vote we change it. > > > Agreed, the way it is now is just wrong, and I was shocked to see it > wide-open like that. > > Barry > > > ___ > Zope-Dev maillist - [EMAIL PROTECTED] > http://lists.zope.org/mailman/listinfo/zope-dev > ** No cross posts or HTML encoding! ** > (Related lists - > http://lists.zope.org/mailman/listinfo/zope-announce > http://lists.zope.org/mailman/listinfo/zope ) > ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] WebDAV quibble -- fix in 2.6?
Casey Duncan wrote: > This maybe more 2.6 (or even 2.5.1 final) fodder: > > I notice that in a vanilla Zope install, Anonymous users are allowed access > through WebDAV. This is bad for two reasons: > > 1. From a security perspective this discloses way too much information about > your site to the outside world. > > 2. Due to vagarities of WebDAV authentication, it makes it impossible to edit > anything, because I guess the WebDAV implementation is too stupid to force a > login when you try to lock something as anonymous (instead is returns a 500 > server error). To get around this you have to create or copy an object to > force a login. This problem disappears if everyone must login to access > WebDAV at all. > > So the question is: Is there a good reason why WebDAV access is granted to > anonymous by default? If not I vote we change it. Agreed, the way it is now is just wrong, and I was shocked to see it wide-open like that. Barry ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] WebDAV quibble -- fix in 2.6?
This maybe more 2.6 (or even 2.5.1 final) fodder: I notice that in a vanilla Zope install, Anonymous users are allowed access through WebDAV. This is bad for two reasons: 1. From a security perspective this discloses way too much information about your site to the outside world. 2. Due to vagarities of WebDAV authentication, it makes it impossible to edit anything, because I guess the WebDAV implementation is too stupid to force a login when you try to lock something as anonymous (instead is returns a 500 server error). To get around this you have to create or copy an object to force a login. This problem disappears if everyone must login to access WebDAV at all. So the question is: Is there a good reason why WebDAV access is granted to anonymous by default? If not I vote we change it. /---\ Casey Duncan, Sr. Web Developer National Legal Aid and Defender Association [EMAIL PROTECTED] \---/ ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )