Enable WebDAV by default

[stokito]

This will simplify usage

[ltworf]

Also simplify getting hacked…

[stokito]

if the dav has an exploit vulnerability then yes. But given that the weborf is not so widely used it shouldn't be so many bots and scanners and less interest from hackers.
Anyway, it have to be read only by default.

[ltworf]

Ah so you'd only want PROPFIND.

But it lists all the files. So if you have an index.html, it will be used to hide the real contents, but they can still be found via PROPFIND.

Would a --propfind switch work? Just so it's nothing unexpected to existing deployments.

I've checked my logs and there were no bots trying PROPFIND requests… but that doesn't mean it will never happen.

[stokito]

ok, I got it. So if a directory has an index.html e.g. this is a usual site then it will be rendered instead of the directory listing.
Then the webdav makes sense to enable only if a directory listing is enabled. This is a bad heuristic.
Basically it should be fine to allow a PROPFIND because anywway files remain accessible via direct GET.

Also from what I understood the WebDAV check is really works in qweborf: looks like it listens for a socket but forwards to the weborf via unix socket

[ltworf]

Well it's available from GET but if you don't know what you want, good luck guessing a name.

Also from what I understood the WebDAV check is really works in qweborf: looks like it listens for a socket but forwards to the weborf via unix socket

qweborf implements an authentication protocol. In the examples directory there is a simple python script that implements the protocol. Very flexible but also very annoying :)