The World

[as I find it]

Enabling WebDAV in IIS for HTTP PUT support

I spent a good portion of today trying to get a WebDAV share set up on a Windows Server 2003 machine. This machine is a test environment for a web service that accepts information about book titles from clients, including cover images. We decided to use the HTTP PUT method for uploading the image files, instead of HTTP POST or FTP, to keep things as simple as possible — we didn’t want to write a POST acceptor (or use someone else’s) or switch protocols mid-transmission. HTTP PUT is implemented through WebDAV in IIS, so getting WebDAV working was the first step.

Because IIS 6 comes with everything turned off by default, you have to enable the WebDAV “extension” to have PUT work. This really got me. IIS lets you create a WebDAV virtual directory and even access and browse it via HTTP, but a PUT request returns a “501: Not implemented” error until the extension is allowed. I scratched my head for a while before realizing what the problem was.

So, in sum, the steps to set up WebDAV are:

  1. Enable the WebDAV extension on the Web Service Extensions detail pane in IIS.
  2. Create a filesystem directory for a WebDAV share. Set the NTFS permissions appropriately.
  3. Create a virtual directory in IIS that points to the filesystem directory.
  4. Set the IIS directory security appropriately. Microsoft recommends not using integrated Windows authentication for internet-accessible shares.
  5. Start making PUT requests!

The final step might be a bit tricky if you haven’t written any programs to make HTTP requests (I certainly hadn’t), since I’m not sure what browser support for PUT there is. Fortunately, I found this nifty Python script to make HTTP PUT requests, and everything seems to be working beautifully. Many thanks to Sean B. Palmer, the author!

More and more these days, I find something is easier when I try to do it with Python. Now if only I could get someone to pay me for it.

Advertisements

Written by whereofwecannotspeak

November 15, 2007 at 1:56 am

Posted in Geeky Shtuff

9 Responses

Subscribe to comments with RSS.

  1. A word of caution on this: make sure you keep a “whitelist” of allowed file extension for upload. Also, if at all possible, don’t allow users to upload to a web-accesible directory.

    Upload systems are usually a huge red flag for hackers. One technique for taking over a server is to upload an executable file (e.g. a script) to a web-accessible directory and call the file via HTTP. It’s extremely effective, especially if IIS is running a privileged user.

    Also, even if you put things into a non-web-accessible directory, make sure you check for people using something like “../../hacked.php” as the file name. You can easily do this with a number of programs and Firefox extensions.

    Anyway, I’m sure you will build in ample checks for anomalous situations, but just wanted to point this out.

    Chris

    November 15, 2007 at 9:21 am

  2. Chris is right, of course. The advice here is meant to be supplemented by appropriate security measures. Fortunately for me, that’s not my problem: the server belongs to a web hosting company, and I’m not directly responsible for writing software on either side.

    Of course, if IIS is allowing uploads to a WebDAV directory with URLs like “http://domain.com/webdav/../a_malicious_script”, that’s a problem Microsoft should be taking care of…

    whereofwecannotspeak

    November 15, 2007 at 7:05 pm

  3. If you’re looking for a great web hosting firm, try Server Intellect. I signed up for an account with ServerIntellect recently and are amazed at their services, functionality and great support.

    Jane

    February 11, 2008 at 2:56 pm

  4. I have followed the same steps but it doesn’t work ,before following the steps i had statuscode = 501 {NotImplmented} but now I have Conflict !…
    Any idea regarding that?

    Mai

    October 26, 2010 at 5:56 am

  5. […] is a nice post explaining how to do that here. December 13, 2009 3:09 […]

  6. One extremely convenient way to do a little testing while getting this working is to use the RESTClient add-on for Firefox. (Just Google “restclient for firefox”)

    Allan Miller

    January 21, 2011 at 7:37 pm

  7. […] There is a nice post explaining how to do that here. […]

  8. Thank you, very helpful article.
    In python script there is one bug, reading in loop without seek. Fixed part of code:

    f.seek(0)
    while True:
    bytes = f.read()
    print >> sys.stderr, “Read: ‘%s'” % bytes
    if not bytes: break

    Taras Sich

    September 13, 2012 at 6:39 am

  9. […] There is a nice post explaining how to do that here. […]


Comments are closed.

%d bloggers like this: