[tahoe-lafs-trac-stream] [Tahoe-LAFS] #1720: privacy leak because web.static does not exist

Tahoe-LAFS trac at tahoe-lafs.org
Thu Apr 28 07:44:20 UTC 2016


#1720: privacy leak because web.static does not exist
-----------------------------------+------------------------------------
     Reporter:  jg71               |      Owner:  davidsarah
         Type:  defect             |     Status:  closed
     Priority:  normal             |  Milestone:  undecided
    Component:  code-frontend-web  |    Version:  1.9.1
   Resolution:  fixed              |   Keywords:  privacy anonymity easy
Launchpad Bug:                     |
-----------------------------------+------------------------------------
Changes (by Brian Warner <warner@…>):

 * status:  new => closed
 * resolution:   => fixed


Comment:

 In [changeset:"5a5ba643e66d7e340b57664800013c29258ceb4e/trunk"
 5a5ba64/trunk]:
 {{{
 #!CommitTicketReference repository="trunk"
 revision="5a5ba643e66d7e340b57664800013c29258ceb4e"
 use twisted.web.static, not nevow.static, for public_html/

 This avoids a privacy leak when the web.static= directory is configured
 but doesn't exist (which is almost always, since we set `web.static =
 public_html` in the default config file, but nothing automatically
 creates it). The nevow.static.File class tries to os.stat() the
 directory before doing anything else, which causes an exception, which
 renders the traceback to the HTTP client as a 500 Internal Server Error,
 and the traceback includes the full path of the missing public_html
 directory, which reveals the node's basedir.

 Plain twisted.web.static.File doesn't do this check, and a missing
 web.static directory just results in a plain old 404.

 Closes ticket:1720.
 }}}

--
Ticket URL: <https://tahoe-lafs.org/trac/tahoe-lafs/ticket/1720#comment:6>
Tahoe-LAFS <https://Tahoe-LAFS.org>
secure decentralized storage


More information about the tahoe-lafs-trac-stream mailing list