[tahoe-lafs-trac-stream] [tahoe-lafs] #907: Stop caps from leaking to phishing-filter servers

tahoe-lafs trac at tahoe-lafs.org
Sat Sep 14 17:39:02 UTC 2013 

#907: Stop caps from leaking to phishing-filter servers
-------------------------+-------------------------------------------------
     Reporter:           |      Owner:  davidsarah
  davidsarah             |     Status:  assigned
         Type:  defect   |  Milestone:  eventually
     Priority:  minor    |    Version:  1.5.0
    Component:  code-    |   Keywords:  capleak integrity confidentiality
  frontend-web           |  forward-compatibility newurls docs websec
   Resolution:           |
Launchpad Bug:           |
-------------------------+-------------------------------------------------
Changes (by zooko):

 * keywords:  capleak integrity confidentiality forward-compatibility
     newurls docs =>
     capleak integrity confidentiality forward-compatibility newurls docs
     websec


Old description:

> Some phishing filters send URLs to a filter on some other machine. That's
> a bad idea and probably not very effective at preventing phishing, but
> they do it anyway. However, they strip query parts before sending it to
> the filter (according to Tyler Close and the web calculus documentation).
>
> The webapi accepts URLs of the form {{{http://host:port/uri?uri=...}}},
> but it redirects to an URL of the form {{{http://host:port/uri/...}}}. We
> should prefer to put the cap in the query, and we should probably also
> allow the shorter form {{{http://host:port/?...}}}.

New description:

 Some phishing filters send URLs to a filter on some other machine. That's
 a bad idea and probably not very effective at preventing phishing, but
 they do it anyway. However, they strip query parts before sending it to
 the filter (according to Tyler Close and the web calculus documentation).

 The webapi accepts URLs of the form {{{http://host:port/uri?uri=...}}},
 but it redirects to an URL of the form {{{http://host:port/uri/...}}}. We
 should prefer to put the cap in the query, and we should probably also
 allow the shorter form {{{http://host:port/?...}}}.

--

-- 
Ticket URL: <https://tahoe-lafs.org/trac/tahoe-lafs/ticket/907#comment:18>
tahoe-lafs <https://tahoe-lafs.org>
secure decentralized storage

More information about the tahoe-lafs-trac-stream mailing list