[tahoe-dev] [tahoe-lafs] #821: A script in a file viewed through the WUI can obtain the file's read cap
tahoe-lafs
trac at allmydata.org
Tue Oct 27 21:03:18 PDT 2009
#821: A script in a file viewed through the WUI can obtain the file's read cap
-------------------------------+--------------------------------------------
Reporter: davidsarah | Owner:
Type: defect | Status: new
Priority: major | Milestone: undecided
Component: code-frontend-web | Version: 1.5.0
Keywords: newcaps security | Launchpad_bug:
-------------------------------+--------------------------------------------
http://allmydata.org/trac/tahoe/ticket/98#comment:22
A script (such as JavaScript) in an [X]HTML file viewed through the WUI
can obtain the read cap for that file. For an immutable file, this is not
much of a problem because the script can read the contents of the file
anyway. However, for a mutable file, it can also read any future version,
which is a violation of the Principle of Least Authority.
--
Ticket URL: <http://allmydata.org/trac/tahoe/ticket/821>
tahoe-lafs <http://allmydata.org>
secure decentralized file storage grid
More information about the tahoe-dev
mailing list