[tahoe-dev] [tahoe-lafs] #821: A script in a file viewed through the WUI can obtain the file's read cap
tahoe-lafs
trac at allmydata.org
Tue Oct 27 23:49:32 PDT 2009
#821: A script in a file viewed through the WUI can obtain the file's read cap
-----------------------------------+----------------------------------------
Reporter: davidsarah | Owner:
Type: defect | Status: reopened
Priority: major | Milestone: undecided
Component: code-frontend-web | Version: 1.5.0
Resolution: | Keywords: newcaps security
Launchpad_bug: |
-----------------------------------+----------------------------------------
Comment(by davidsarah):
http://allmydata.org/pipermail/tahoe-dev/2007-September/000134.html
> After the cap-talk meeting, Brian and I agreed -- I thought -- not to
> bother making the URL field read-only, and instead to document the
> fact that sharing a URL will (by default) share write access to your
> directory as well as read access.. Apparently Brian remains
> interested in a !JavaScript hack to read-only-ify URLs after loading
> them.
When using the WUI, is it only for directories that the URL will represent
a write cap? (Directory listings do not contain untrusted scripts, so this
bug shouldn't be a problem in the directory case.)
--
Ticket URL: <http://allmydata.org/trac/tahoe/ticket/821#comment:5>
tahoe-lafs <http://allmydata.org>
secure decentralized file storage grid
More information about the tahoe-dev
mailing list