Been playing around with WebDAV from IE5 connecting to a RedHat 6.1 +Zope 2.1.6
And it seems that quite a bit of the stuff that propably shouldn't be visible can be seen, for example acl_users
What other things are you referring to? (see answer for acl_users below)
Without being logged in I can start a download of it, eventually IE5 fails, but I get this uncomfortable feeling that this is more due to IE5 not handling this document type than anything else...
If I used some other WebDAV client, could I then download acl_users, and if so, would this expose usernames/passwords?
It would not expose passwords - I believe that what you are seeing is a sort of non-obvious but basically harmless thing. User folders (acl_users) do not have an index_html method (by design). When a DAV client tries to "download" acl_users, it is actually acquiring the closest index_html from above and downloading that :^) One could argue that this is lame and that attempting to GET .../acl_users/ should raise an error (404?). I'm interested in other viewpoints on this - if there is some consensus, a proposed change should be put in the Collector. Brian Lloyd brian@digicool.com Software Engineer 540.371.6909 Digital Creations http://www.digicool.com