alias, auth etc are not checked for destination path for webdav operations
Webdav operations such as MOVE and COPY have a destination URL inside the header. Since mod_webdav is the only module that parses this destination URL there can be troubly if one has set up alias, auth or other rules since these other modules does not parse the destination URL.
For example if one has an alias, then the source URL will be set to the correct physical path while the destination will point to the wrong physical path (and will likely fail for that reason).
And possible since mod_auth is not involved I guess that there is also a chance that one can overwrite other users files with COPY and MOVE since only the source is validated (haven't tested this though).
Perhaps the core should decode all URLs and pass them to the modules as an array of URLs and then for example mod_alias would be changed to alias all the URLs in the array while other modules still only performs action on the first URL like they do today.
Also available in: Atom