[tahoe-dev] [tahoe-lafs] #674: controlled access to your WUI
tahoe-lafs
trac at allmydata.org
Mon Apr 27 21:15:29 PDT 2009
#674: controlled access to your WUI
-------------------------+--------------------------------------------------
Reporter: zooko | Owner: nobody
Type: enhancement | Status: new
Priority: major | Milestone: undecided
Component: unknown | Version: 1.3.0
Keywords: | Launchpad_bug:
-------------------------+--------------------------------------------------
Comment(by nejucomo):
I should have provided more details for my last post.
Javascript from the same origin should be able to grab the $WUI_SECRET
from its location (and may be able to grab it from another window even in
the scheme where the $WUI_SECRET is not present in retrieval URLs).
A same-origin CSRF that exploits the
"http://$host/$WUI_SECRET/uri/$FILE_READ_CAP" url might be html containing
<img src="http://../../admin?delete_all_shared=true">.
--
Ticket URL: <http://allmydata.org/trac/tahoe/ticket/674#comment:2>
tahoe-lafs <http://allmydata.org>
secure decentralized file storage grid
More information about the tahoe-dev
mailing list