[EMAIL PROTECTED] wrote: > > List files that would result in HTTP_UNAUTHORIZED in addition to > successes and redirections, since there's a chance the client will > actually have the proper authorization to retrieve them.
-1 (yes, a veto). Standard security practice: you don't expose even meta-information without knowing the user can access it. Unixish systems have broken with this practice since day one by making /etc/passwd readable, but it's still visible in the login sequence: you get asked for a password even if the username exists, and the 'login incorrect' doesn't tell you that it failed because of an invalid username. Exposing the existence of something without knowing that the user can access it provides a definite target for probing and attack. -- #ken P-)} Ken Coar, Sanagendamgagwedweinini http://Golux.Com/coar/ Author, developer, opinionist http://Apache-Server.Com/ "Millennium hand and shrimp!"