[Zope] is WebDAV a security hole?
Brian Lloyd
Brian@digicool.com
Mon, 5 Jun 2000 15:53:41 -0400
> Thanx for an informative response!
>
> Btw I tried WebDAV vs. www.zope.org and that site refused the
> connection
> attempt.
> Is there some obvious setting that I can use to disable
> WebDAV, since I
> don't need it (as far as I know;)
DAV won't work for zope.org because it runs behind apache and
we've never done the incantation apache requires to let
cgi-ish processes handle their own DAV requests.
As far as disabling DAV support, there's no real way to do that
(except for running behind apache or another server that interferes
with DAV requests by default). This really shouldn't be a problem -
the extended HTTP methods that provide DAV support all basically
have Zope api corollaries, so the DAV methods are protected by the
analogous permissions. For example:
PROPFIND -> manage properties
PROPPATCH -> manage properties
DELETE -> delete objects
MKCOL -> Add folders
...and so on. GET, POST and PUT are used by DAV exactly as in
the HTTP spec, so if you can "download" something via DAV then
you could also have gotten it with your normal non-DAV aware
browser.
Hope this helps!
Brian Lloyd brian@digicool.com
Software Engineer 540.371.6909
Digital Creations http://www.digicool.com