See parent: pwsafe
External-model audits of the WebDAV transport plugin subsystem (webdav branch). All Critical and High findings have been fixed.
• 2026-02-27 — OpenAI o3 — 4C/4H/3M/4L/4I — all critical+high fixed
• 2026-02-27 — OpenAI gpt-5.2 — 0C/4H/6M/4L/2I — all fixed
• 2026-02-27 — Self-review (Claude) — 0C/0H/1M/2L — all fixed
• src/os/unix/transport.cpp — plugin loader, scheme extraction, cache dir
• src/os/unix/transport_lockd.cpp — lock daemon (fork/socketpair/IPC)
• src/os/plugins/webdav/transport-webdav.cpp — libcurl WebDAV ops
• src/os/plugins/file/transport-file.cpp — local file plugin
• src/core/file.cpp — FOpen/FClose intercept
• src/os/transport.h — PWSTransport ABI
C1 — Newline injection / text IPC protocol — Fixed — binary length-prefix protocol
C2 — Cache dir 0755 → symlink/disclosure — Fixed — chmod 0700
C3 — TOCTOU plugin load — Fixed — single fd + /proc/self/fd/N
C4 — Cross-protocol curl redirect — Fixed — PROTOCOLS_STR, FOLLOWLOCATION=0
H5 — Scheme '/' traversal — Fixed — RFC 3986 validation
H7 — Missing explicit SSL verify — Fixed — VERIFYPEER=1, VERIFYHOST=2
H8 — Unbounded lock response buffer — Fixed — 64 KB cap
H(g52) — recv_string unbounded len → child OOM — Fixed
M(g52) — No EINTR in send_all/recv_all — Fixed
M(g52) — OPTIONS probe missing curl hardening — Fixed
M(g52) — Cache file not forced to 0600 — Fixed
M(g52) — Plugin fd missing S_ISREG check — Fixed
M(sr) — socketpair missing SOCK_CLOEXEC — Fixed
L(g52) — ftell() unchecked; -1 to INFILESIZE — Fixed
L(g52) — Lock-Token / DAV: header case-sensitive — Fixed
L(sr) — header_cb DAV: check partially case-sensitive — Fixed
L(sr) — Parent URL guard inconsistent with child MAX_IPC_URL — Fixed
• Cache filename collision (truncation without hash) — known limitation, not a security issue for single-user use
• Daemon crash is unrecoverable (EIO; user must reopen)
• libcurl post-fork state technically undefined (safe in practice)