[tahoe-lafs-trac-stream] [tahoe-lafs] #1649: WUI: the error message page for a writeable file/directory nonobviously includes the write cap

tahoe-lafs trac at tahoe-lafs.org
Sat Sep 14 17:40:28 UTC 2013 

#1649: WUI: the error message page for a writeable file/directory nonobviously
includes the write cap
---------------------------+-----------------------------------------------
     Reporter:             |      Owner:  davidsarah
  davidsarah               |     Status:  assigned
         Type:  defect     |  Milestone:  undecided
     Priority:  major      |    Version:  1.9.0
    Component:  code-      |   Keywords:  usability security capleak websec
  frontend-web             |
   Resolution:             |
Launchpad Bug:             |
---------------------------+-----------------------------------------------
Changes (by zooko):

 * keywords:  usability security capleak => usability security capleak
               websec


Old description:

> In the case of a directory, for example, the target URL of the 'More info
> on this directory' link includes the write cap. This is not excess
> authority because the 'More info' page itself includes the write cap and
> so needs to know it, however, it's not visually obvious that by sending
> someone just the HTML file of the error page, you are giving them the
> write cap.
>
> (OTOH, I was prompted to file this ticket by someone who did exactly that
> and '''did''' understand that they were giving away the write cap.)

New description:

 In the case of a directory, for example, the target URL of the 'More info
 on this directory' link includes the write cap. This is not excess
 authority because the 'More info' page itself includes the write cap and
 so needs to know it, however, it's not visually obvious that by sending
 someone just the HTML file of the error page, you are giving them the
 write cap.

 (OTOH, I was prompted to file this ticket by someone who did exactly that
 and '''did''' understand that they were giving away the write cap.)

--

-- 
Ticket URL: <https://tahoe-lafs.org/trac/tahoe-lafs/ticket/1649#comment:2>
tahoe-lafs <https://tahoe-lafs.org>
secure decentralized storage

More information about the tahoe-lafs-trac-stream mailing list