[tahoe-lafs-trac-stream] [tahoe-lafs] #1649: WUI: the error message page for a writeable file/directory nonobviously includes the write cap
tahoe-lafs
trac at tahoe-lafs.org
Sat Dec 31 00:29:29 UTC 2011
#1649: WUI: the error message page for a writeable file/directory nonobviously
includes the write cap
----------------------------------------+---------------------------
Reporter: davidsarah | Owner:
Type: defect | Status: new
Priority: major | Milestone: undecided
Component: code-frontend-web | Version: 1.9.0
Keywords: usability security capleak | Launchpad Bug:
----------------------------------------+---------------------------
In the case of a directory, for example, the target URL of the 'More info
on this directory' link includes the write cap. This is not excess
authority because the 'More info' page itself includes the write cap and
so needs to know it, however, it's not visually obvious that by sending
someone just the HTML file of the error page, you are giving them the
write cap.
(OTOH, I was prompted to file this ticket by someone who did exactly that
and '''did''' understand that they were giving away the write cap.)
--
Ticket URL: <https://tahoe-lafs.org/trac/tahoe-lafs/ticket/1649>
tahoe-lafs <https://tahoe-lafs.org>
secure decentralized storage
More information about the tahoe-lafs-trac-stream
mailing list