Would it be sufficient to disallow the PROPFIND  for non-authenticated
users ?

- aj
----- Original Message -----
From: "Barry Pederson" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, March 06, 2002 11:39
Subject: Re: [Zope-dev] WebDAV quibble -- fix in 2.6?


> Casey Duncan wrote:
> > This maybe more 2.6 (or even 2.5.1 final) fodder:
> >
> > I notice that in a vanilla Zope install, Anonymous users are allowed
access
> > through WebDAV. This is bad for two reasons:
> >
> > 1. From a security perspective this discloses way too much information
about
> > your site to the outside world.
> >
> > 2. Due to vagarities of WebDAV authentication, it makes it impossible to
edit
> > anything, because I guess the WebDAV implementation is too stupid to
force a
> > login when you try to lock something as anonymous (instead is returns a
500
> > server error). To get around this you have to create or copy an object
to
> > force a login. This problem disappears if everyone must login to access
> > WebDAV at all.
> >
> > So the question is: Is there a good reason why WebDAV access is granted
to
> > anonymous by default? If not I vote we change it.
>
>
> Agreed, the way it is now is just wrong, and I was shocked to see it
> wide-open like that.
>
> Barry
>
>
> _______________________________________________
> Zope-Dev maillist  -  [EMAIL PROTECTED]
> http://lists.zope.org/mailman/listinfo/zope-dev
> **  No cross posts or HTML encoding!  **
> (Related lists -
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope )
>


_______________________________________________
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Reply via email to