> Been playing around with WebDAV from IE5 connecting to a RedHat 6.1
> +Zope 2.1.6
> And it seems that quite a bit of the stuff that propably shouldn't be
> visible can be seen,
> for example acl_users

What other things are you referring to? (see answer for acl_users

> Without being logged in I can start a download of it, eventually IE5
> fails, but I get this uncomfortable feeling that this is more 
> due to IE5
> not handling this document type than anything else...
> If I used some other WebDAV client, could I then download 
> acl_users, and
> if so, would this expose usernames/passwords?

It would not expose passwords - I believe that what you are seeing
is a sort of non-obvious but basically harmless thing. User folders
(acl_users) do not have an index_html method (by design). When a 
DAV client tries to "download" acl_users, it is actually acquiring
the closest index_html from above and downloading that :^) One 
could argue that this is lame and that attempting to GET 
.../acl_users/ should raise an error (404?). I'm interested in 
other viewpoints on this - if there is some consensus, a proposed 
change should be put in the Collector.

Brian Lloyd        [EMAIL PROTECTED]
Software Engineer  540.371.6909              
Digital Creations  http://www.digicool.com 

Zope maillist  -  [EMAIL PROTECTED]
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-dev )

Reply via email to