[tahoe-dev] Authority to DoS via WAPI

Toby Murray toby.murray at comlab.ox.ac.uk
Thu Jan 15 01:26:15 PST 2009 

On Wed, 2009-01-14 at 18:52 -0700, zooko wrote:
> Thanks for the patch, Toby!
> 
> The name should reflect that this is ambient authority specifically  
> for uploading, so how about something like  
> "web.ambient_upload_authority"?
> 
> Also, the users following the current install docs [1] need to learn  
> how to configure their nodes to allow uploads.  I suspect it would be  
> easiest to make the ambient upload authority default to True for this  
> imminent release.
> 
> Also, in fact, your patch shows no signs of actually reading the  
> config file and having any way to turn the ambient authority on.  :-)

I forgot the top part of the patch! Sorry.


> Finally, both of the error messages mention "PUT" although one of  
> them is for POST.

Patch updated to include the changes above. Error messages from the web
server in response to POST / PUT to /uri now also actually display ;)

diff -rc allmydata/client.py allmydata.patched/client.py
*** allmydata/client.py 2009-01-08 18:17:35.000000000 +0000
--- allmydata.patched/client.py 2009-01-15 09:12:42.000000000 +0000
***************
*** 263,269 ****
          nodeurl_path = os.path.join(self.basedir, "node.url")
          staticdir = self.get_config("node", "web.static", "public_html")
          staticdir = os.path.expanduser(staticdir)
!         ws = WebishServer(webport, nodeurl_path, staticdir)
          self.add_service(ws)
  
      def init_ftp_server(self):
--- 263,272 ----
          nodeurl_path = os.path.join(self.basedir, "node.url")
          staticdir = self.get_config("node", "web.static", "public_html")
          staticdir = os.path.expanduser(staticdir)
!         # should we provide ambient upload authority?
!         ambientUploadAuthority = self.get_config("node", "web.ambient_upload_authority", True, boolean=True)
!         
!         ws = WebishServer(webport, nodeurl_path, staticdir, ambientUploadAuthority)
          self.add_service(ws)
  
      def init_ftp_server(self):
diff -rc allmydata/web/root.py allmydata.patched/web/root.py
*** allmydata/web/root.py	2008-12-01 23:27:15.000000000 +0000
--- allmydata.patched/web/root.py	2009-01-15 09:17:12.000000000 +0000
***************
*** 23,28 ****
--- 23,32 ----
      # I live at /uri . There are several operations defined on /uri itself,
      # mostly involved with creation of unlinked files and directories.
  
+     
+     def setAmbientUploadAuthority(self, ambientUploadAuthority):
+         self.ambientUploadAuthority = ambientUploadAuthority
+ 
      def render_GET(self, ctx):
          req = IRequest(ctx)
          uri = get_arg(req, "uri", None)
***************
*** 36,41 ****
--- 40,48 ----
          return there
  
      def render_PUT(self, ctx):
+         if not self.ambientUploadAuthority:
+             raise WebError("/uri handling of PUT not enabled on this node")
+ 
          req = IRequest(ctx)
          # either "PUT /uri" to create an unlinked file, or
          # "PUT /uri?t=mkdir" to create an unlinked directory
***************
*** 53,58 ****
--- 60,68 ----
          raise WebError(errmsg, http.BAD_REQUEST)
  
      def render_POST(self, ctx):
+         if not self.ambientUploadAuthority:
+             raise WebError("/uri handling of POST not enabled on this node")
+ 
          # "POST /uri?t=upload&file=newfile" to upload an
          # unlinked file or "POST /uri?t=mkdir" to create a
          # new directory
***************
*** 122,127 ****
--- 132,141 ----
          rend.Page.__init__(self, original)
          self.child_operations = operations.OphandleTable()
  
+     def setAmbientUploadAuthority(self, ambientUploadAuthority):
+         self.child_uri.setAmbientUploadAuthority(ambientUploadAuthority)
+ 
+ 
      child_uri = URIHandler()
      child_cap = URIHandler()
      child_file = FileHandler()
diff -rc allmydata/webish.py allmydata.patched/webish.py
*** allmydata/webish.py	2008-10-29 22:36:20.000000000 +0000
--- allmydata.patched/webish.py	2009-01-15 09:11:27.000000000 +0000
***************
*** 123,132 ****
      name = "webish"
      root_class = root.Root
  
!     def __init__(self, webport, nodeurl_path=None, staticdir=None):
          service.MultiService.__init__(self)
          self.webport = webport
          self.root = self.root_class()
          self.site = site = appserver.NevowSite(self.root)
          self.site.requestFactory = MyRequest
          if self.root.child_operations:
--- 123,135 ----
      name = "webish"
      root_class = root.Root
  
!     def __init__(self, webport, nodeurl_path=None, staticdir=None, ambientUploadAuthority=False):
          service.MultiService.__init__(self)
          self.webport = webport
          self.root = self.root_class()
+         if self.root_class == root.Root:
+             self.root.setAmbientUploadAuthority(ambientUploadAuthority)
+ 
          self.site = site = appserver.NevowSite(self.root)
          self.site.requestFactory = MyRequest
          if self.root.child_operations:

More information about the tahoe-dev mailing list