[tahoe-lafs-trac-stream] [tahoe-lafs] #992: Store Content-Type as part of directory entries
tahoe-lafs
trac at tahoe-lafs.org
Thu May 17 21:29:27 UTC 2012
#992: Store Content-Type as part of directory entries
-----------------------------+--------------------------------
Reporter: jsgf | Owner: somebody
Type: enhancement | Status: new
Priority: major | Milestone: undecided
Component: code | Version: 1.6.0
Resolution: | Keywords: metadata integrity
Launchpad Bug: |
-----------------------------+--------------------------------
Comment (by nejucomo):
It is important for security for the web gateway to validate the syntax of
the header in order to prevent response splitting attacks. Response
splitting is an injection attack where the input spliced into a header
field contains '\r\n' then possibly more headers, then possibly a complete
response body.
This would allow a malicious directory (or file-cap-associated metadata)
to impersonate the web gateway.
And of course for user-friendliness and defense in depth it would be nice
if all clients and server-side metadata storage used the same validation
parser. (ie: "tahoe put --content-type 'barf\0\r\nWhee!' myfile" would
say something about an invalid content type before attempting any network
io.)
--
Ticket URL: <https://tahoe-lafs.org/trac/tahoe-lafs/ticket/992#comment:5>
tahoe-lafs <https://tahoe-lafs.org>
secure decentralized storage
More information about the tahoe-lafs-trac-stream
mailing list