WebDAVWeb Distributed Authoring and

Versioning

José A LozadaIS373

Introduction Governing Standards Body History Specifications Advantages / Drawbacks Application Conclusion Question & Answer Session

Overview

HTTP lacking functionality for adequate remote document authoring

Set of extension for the HTTP protocol◦ Properties – Access read and manipulate document metadata

such as author, creation date, etc.◦ Collections – Ability to create a set of documents and retrieve a

hierarchical listing◦ Locking – Prevents the “lost update problem”, that occurred when

two users update the same document◦ Namespace Operations – Ability to copy and move documents◦ Searching and Locating – Ability request queries and receive result

sets for making use of the server-side search capabilities ◦ Versioning – Ability for a document to automatically create

versions of itself as it is updated that can be retrieved later◦ Access Control – Allows access to and manipulation of document

permissions

Introduction

Internet Engineering Task Force (IETF)◦ Cost: None◦ Paid By: Volunteers◦ Timeliness: 1 year (Base-Level Functionality)◦ Legitimacy: WebDAV Working Group Charter◦ Structure: Formal Documentation (RFC)◦ Process: Democratic◦ Participation: Open

Governing Standards Body

WebDAV Request for Comments◦ Requirements Document

Released: RFC2291 – February 1998◦ Base Level Functionality

Released: RFC2518 – February 1999 Properties, Collections, Locking, Namespace Operations

Revision: RFC4918 - June 2007◦ Versioning

Released: RFC3253 – March 2002◦ Access Control

Released: RFC3744 – May 2004◦ SEARCH (DSL)

Released: RFC5323 – November 2008

History

PROPFIND◦ Retrieves properties defined on the resource

PROPPATCH◦ Sets or removes properties defined on the resource

MKCOL◦ Creates a collection resource

DELETE (Collections)◦ Deletes a collection and all its members

PUT (Non-Collections)◦ Creates a non-collection resources

COPY (Non-Collections, Properties, Collections)◦ Copies a resource to a specified destination

Specifications

MOVE (Non-Collections, Properties, Collections)◦ Copies a resource to a specified destination and

deletes the source LOCK

◦ Locks a resource UNLOCK

◦ Unlocks a resource

Specifications (Cont’d)

Request Example:◦ PROPPATCH /bar.html HTTP/1.1◦ Host: www.example.com◦ Content-Type: application/xml; charset="utf-8"◦ Content-Length: xxxx

◦ <?xml version="1.0" encoding="utf-8" ?>◦ <D:propertyupdate xmlns:D="DAV:"◦ xmlns:Z="http://ns.example.com/standards/z39.50/">◦ <D:set>◦ <D:prop>◦ <Z:Authors>◦ <Z:Author>Jim Whitehead</Z:Author>◦ <Z:Author>Roy Fielding</Z:Author>◦ </Z:Authors>◦ </D:prop>◦ </D:set>◦ <D:remove>◦ <D:prop><Z:Copyright-Owner/></D:prop>◦ </D:remove>◦ </D:propertyupdate>

Specifications (Cont’d)

Request Example:◦ HTTP/1.1 207 Multi-Status◦ Content-Type: application/xml; charset="utf-8"◦ Content-Length: xxxx

◦ <?xml version="1.0" encoding="utf-8" ?>◦ <D:multistatus xmlns:D="DAV:"◦ xmlns:Z="http://ns.example.com/standards/z39.50/">◦ <D:response>◦ <D:href>http://www.example.com/bar.html</D:href>◦ <D:propstat>◦ <D:prop><Z:Authors/></D:prop>◦ <D:status>HTTP/1.1 424 Failed Dependency</D:status>◦ </D:propstat>◦ <D:propstat>◦ <D:prop><Z:Copyright-Owner/></D:prop>◦ <D:status>HTTP/1.1 409 Conflict</D:status>◦ </D:propstat>◦ <D:responsedescription> Copyright Owner cannot be deleted or◦ altered.</D:responsedescription>◦ </D:response>◦ </D:multistatus>

Specifications (Cont’d)

Security Privacy Pervasiveness Reliability Robustness Interoperability Community Support Maintainability Ease of use

Advantages / Drawbacks

Advantages◦ Native Authentication Support

Drawbacks◦ Requests are sent in plain text over the internet. A

third party can intersect them and see the password and data being passed. To prevent this Secure Socket Layer (SSL) should be

used via the https:// protocol.

Other◦ IIS6 WebDAV Authentication Bypass Exploit (Fixed)

Security

Advantages◦ The underlying file system can impose its file

permissions on WebDAV requests to ensure the files are accessed by the intended users.

Drawbacks◦ Cases have been reported where WebDAV clients

have provided a user with access to a document they would not have access to using the file system directly.

Privacy

Advantages◦ The current versions of the major web server

applications support WebDAV. Apache Microsoft’s Internet Information Services (IIS).

◦ Modern operating systems have built-in WebDAV clients.

Drawbacks◦ WebDAV is not considered a priority feature

True support for WebDAV is available in Apache2 but PHP is not fully compatible with Apache2. This results in WebDAV not being supported by many hosting services that depend on Apache and support PHP.

Pervasiveness

Advantage◦ If a connection is lost, WebDAV ensures locks remain intact

until the user reconnects and releases them to or it times out.

◦ A revision addressing major issues has already been released.

◦ Is accessible through port 80, which is not block by ISPs like other ports usually are such as the FTP port.

◦ Is not its own file system, it runs on top of existing file systems that have already been thoroughly tested

Drawbacks◦ Inherits the vulnerabilities of HTTP.

Denial of Service Attacks

Reliability

Advantages◦ Base-level functionality has been in used for over

10 years.◦ Only one revision needed to address problems.◦ Is a set of extensions to HTTP which has been in

use since 1990 and is nowadays used by every device with Internet support.

Drawbacks◦ Some of the advanced features have been

released recently and are not thoroughly tested.

Robustness

Advantages◦ Is a set of extensions to HTTP so it can be

accessed by any device with Internet support.◦ It adheres to XML specifications for data transfers.◦ The above technologies are currently universal

and supported by all major vendors. As a result implementing a WebDav component does not require adding support for new technologies.

Drawbacks◦ No major drawbacks.

Interoperability

Advantages◦ Active Community

IIS 7 - http://forums.iis.net - March 2010 Apache2 -

http://www.howtoforge.com/how-to-set-up-webdav-with-apache2-on-ubuntu-9.10 - February 2010

◦ Additional Released Extensions Ordered Collections Protocol: RFC3648 – December 2003

◦ Proposed Extensions (Drafts) Redirect Reference Resources: RFC4437 – March 2006 Many other enhancements to collections and properties.

◦ Spinoffs CalDAV – Remote access to scheduling information CardDAV – Remote access to an address book

Drawbacks◦ No major Drawbacks.

Community Support

Advantages◦ Is not a separate file system, just a remote entry

point for accessing part of an already existing file system.

Drawbacks◦ Another entry point into the file system hackers

can attempt to breach.

Maintainability

Advantages◦ One of the design requirement was to minimize

complexity to allow for easy or unambiguous implementation.

◦ Works like and has all the same functionality as a regular file system.

◦ Clients are design to mimic familiar file system manipulation tools.

Drawbacks◦ No major drawbacks.

Ease of use

WebDAV Support in 2001

Document AuthoringMicrosoft Word 2000Microsoft Excel 2000Microsoft PowerPoint 2000Microsoft Publisher 2000Adobe Photoshop 6Adobe Acrobat 5Excosoft Documentor (XML Editor)Web Site AuthoringAdobe Go Live 5Macromedia Dreamweaver 4File ManagersApple MacOS X webdavfsRiverFront WebDriveGNOME NautilusGoliathcadaversitecopy

ServersApache mod_davMicrosoft IIS 5Microsoft Exchange 2000Microsoft SharepointAdobe InScopeOracle Internet File SystemXythos Storage ServerNovell Netware 5.1Novell Net PublisherEndeavors MagiExpressW3C JigsawIBM DAV4JCyberTeams WebSite DirectorHyperWave Information Server 5.5Openlink VirtuosoIntraspect Intraspect4DataChannel DataChannelServer (DCS 4.1)

Applications

WebDAV Support in 2010◦ Apache2◦ Microsoft Internet Information Services 7.0◦ Microsoft Exchange Server 2007◦ Microsoft Windows 7◦ Mac OS X◦ Subversion (Version control system)◦ Third party APIs

Websites Providing WebDAV file storage◦ DreamHost.com◦ Venuecom.com (CalDAV)

Applications (Cont’d)

WebDAV in Infancy (Advance Components)◦ Final part completed in November 2008◦ No revision for Versioning which has problems

Good◦ The base-level functionality has been widely adopted by

industry leaders (MS, Mac, Apache)◦ People are interested in improving it and using as evident

by the many draft RFC’s available◦ Many spinoffs the use its model as a base (CalDAV,

CardDAV) Competition

◦ No general support for competitive products Amazon Simple Storage Service uses a proprietary protocol

Users asked on its forum “Why not use WebDAV?”

Conclusion

RFC2291 RFC2518 RFC4918 RFC3253 RFC3744 RFC5323 RFC3648 RFC4437 http://www.ics.uci.edu/~ejw/authoring/ http://www.webdav.org/ http://www.microsoft.com/technet/security/advisory/

971492.mspx http://httpd.apache.org/docs/2.0/developer/thread_s

afety.html

References

Question & Answer Session