[tahoe-dev] Tahoe and restricting uploads

Nathan nejucomo at gmail.com
Sat Nov 22 17:26:44 PST 2008


On Wed, Oct 8, 2008 at 12:37 PM, Brian Warner
<warner-tahoe at allmydata.com> wrote:
>
> Oh, yeah, zooko's point is an excellent one. If you restrict the user to
> doing a GET, then they won't be able to cause any side-effects. All files are
> uploaded using PUT or POST.

A naive implementation of this policy leads to a confused deputy attack:

If you depend on some rule which lets certain browsers POST, but not
others, an attacker creates a malicious web page which executes the
POST of their choosing.  Next, they trick any user who has the ability
to POST to visit the malicious website.

One means for publishers to defend themselves against this is to only
publish content with commandline tools (in *addition* to whatever
policy mechanism restricts POSTs).

Perhaps a more user friendly approach, with firefox, is to create a
separate profile and *only* use it to publish and not visit other
sites.  (This can also be tricky if the attacker can sneak links into
the grid content.)


[snip...]


Nathan


More information about the tahoe-dev mailing list