[Zope-dev] WebDAV quibble -- fix in 2.6?

Barry Pederson barryp@medicine.nodak.edu
Wed, 06 Mar 2002 10:39:10 -0600


Casey Duncan wrote:
> This maybe more 2.6 (or even 2.5.1 final) fodder:
> 
> I notice that in a vanilla Zope install, Anonymous users are allowed access 
> through WebDAV. This is bad for two reasons:
> 
> 1. From a security perspective this discloses way too much information about 
> your site to the outside world.
> 
> 2. Due to vagarities of WebDAV authentication, it makes it impossible to edit 
> anything, because I guess the WebDAV implementation is too stupid to force a 
> login when you try to lock something as anonymous (instead is returns a 500 
> server error). To get around this you have to create or copy an object to 
> force a login. This problem disappears if everyone must login to access 
> WebDAV at all.
> 
> So the question is: Is there a good reason why WebDAV access is granted to 
> anonymous by default? If not I vote we change it.


Agreed, the way it is now is just wrong, and I was shocked to see it 
wide-open like that.

	Barry