Bug #1359

alias, auth etc are not checked for destination path for webdav operations

Added by HenrikHolst almost 12 years ago. Updated over 10 years ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:
Missing in 1.5.x:


Webdav operations such as MOVE and COPY have a destination URL inside the header. Since mod_webdav is the only module that parses this destination URL there can be troubly if one has set up alias, auth or other rules since these other modules does not parse the destination URL.

For example if one has an alias, then the source URL will be set to the correct physical path while the destination will point to the wrong physical path (and will likely fail for that reason).

And possible since mod_auth is not involved I guess that there is also a chance that one can overwrite other users files with COPY and MOVE since only the source is validated (haven't tested this though).

Perhaps the core should decode all URLs and pass them to the modules as an array of URLs and then for example mod_alias would be changed to alias all the URLs in the array while other modules still only performs action on the first URL like they do today.

Related issues

Related to Bug #1787: Bug in mod_webdav when using aliases and MOVE commandFixed




Updated by stbuehler almost 11 years ago

  • Status changed from New to Fixed
  • Resolution set to wontfix

webdav is a stupid protocol imho, and so there are just some things we cannot do. There could be many modules modifying a path (think of mod_magnet scripts)...


Updated by stbuehler over 10 years ago

  • Status changed from Fixed to Wontfix

Updated by gstrauss about 3 years ago

  • Related to Bug #1787: Bug in mod_webdav when using aliases and MOVE command added

Also available in: Atom