[tahoe-lafs-trac-stream] [tahoe-lafs] #1665: Brainstorm webapi vulnerabilities between the operator and a user and between users.

tahoe-lafs trac at tahoe-lafs.org
Wed Jan 25 04:57:04 UTC 2012 

#1665: Brainstorm webapi vulnerabilities between the operator and a user and
between users.
-----------------------------------+-----------------------
     Reporter:  nejucomo           |      Owner:
         Type:  task               |     Status:  new
     Priority:  major              |  Milestone:  undecided
    Component:  code-frontend-web  |    Version:  n/a
   Resolution:                     |   Keywords:
Launchpad Bug:                     |
-----------------------------------+-----------------------
Description changed by nejucomo:

Old description:

> '''Problem''': The webapi interface design seems to presume the node
> operator and users are mutually trusting.  There is some demand for
> "public" web gateways to content in a LAFS network, where the users and
> gateway operator do not fully trust each other.
>
> '''Resolution''': This ticket is resolved when the vulnerabilities are
> enumerated to the operator coming from users, to the users from the
> operator, and from the users between themselves.
>
> '''Bonus Points''' awarded for each of: configuration options which
> reduce a given vulnerabily's risk; workarounds which do not require code
> patches (external tools are ok); and outlines of code patches to reduce
> the vulnerability.

New description:

 '''Problem''': The webapi interface design seems to presume the node
 operator and users are mutually trusting.  There is some demand for
 "public" web gateways to content in a LAFS network, where the users and
 gateway operator do not fully trust each other.

 '''Resolution''': This ticket is resolved when the vulnerabilities are
 enumerated to the operator coming from users, to the users from the
 operator, and from the users between themselves.

 '''Bonus Points''' awarded for each of: configuration options which reduce
 a given vulnerabily's risk; workarounds which do not require code patches
 (external tools are ok); and outlines of code patches to reduce the
 vulnerability.

 '''Related Tickets''':
 * #1663 is for documenting the complete URL tree in a concise table.
 * #860 is a user request for a public gateway that does not expose the
 introducer furl.
 * #587 points out that any webapi user may upload content (even without
 using capabilities).

--

-- 
Ticket URL: <https://tahoe-lafs.org/trac/tahoe-lafs/ticket/1665#comment:1>
tahoe-lafs <https://tahoe-lafs.org>
secure decentralized storage

More information about the tahoe-lafs-trac-stream mailing list