#127 |
Cap URLs leaked via HTTP Referer header
|
assigned
|
davidsarah
|
defect
|
major
|
soon
|
#318 |
wapi: test that we return 200 or 201 as appropriate
|
new
|
|
defect
|
major
|
soon
|
#324 |
use POST for operations whose noun doesn't denote the same resource that a GET would denote, or that have side effects
|
new
|
|
defect
|
major
|
soon
|
#366 |
address Nathan Wilcox's concerns about "Tahoe and the browser security model"
|
new
|
nejucomo
|
defect
|
major
|
eventually
|
#462 |
PUT should elicit 100 Continue
|
new
|
|
defect
|
major
|
soon
|
#471 |
servermap update chart doesn't fit
|
new
|
|
defect
|
major
|
eventually
|
#529 |
Implement Halt and Catch Fire
|
new
|
|
defect
|
major
|
undecided
|
#554 |
some directory targets in wapi/wui require trailing slashes
|
assigned
|
davidsarah
|
defect
|
major
|
soon
|
#568 |
make immutable check/verify/repair and mutable check/verify work given only a verify cap
|
new
|
daira
|
defect
|
major
|
soon
|
#587 |
Web nodes provide ambient upload authority
|
new
|
daira
|
defect
|
major
|
soon
|
#589 |
JSON link does not work if there is a '#' character in the file name.
|
new
|
|
defect
|
major
|
eventually
|
#615 |
Can JavaScript loaded from Tahoe access all your content which is loaded from Tahoe?
|
assigned
|
davidsarah
|
defect
|
critical
|
soon
|
#631 |
trailing spaces in filenames break the WUI rename function
|
new
|
|
defect
|
major
|
soon
|
#677 |
WebAPI: GET /uri/$FILECAP?t=json doesn't return size for mutable files, but the HTML version does
|
assigned
|
davidsarah
|
defect
|
minor
|
soon
|
#679 |
/storage emitting exception - lease reporting code
|
assigned
|
davidsarah
|
defect
|
major
|
undecided
|
#686 |
Search for lost share resulted in a directory popping up at unexpected place
|
assigned
|
daira
|
defect
|
major
|
soon
|
#766 |
repair results Summary field says "Unhealthy" even though it is healthy after the repair, if it was unhealthy before
|
assigned
|
davidsarah
|
defect
|
major
|
soon
|
#813 |
string exception raised to web renderer?
|
new
|
somebody
|
defect
|
minor
|
undecided
|
#821 |
A script in a file viewed through the WUI can obtain the file's read cap
|
assigned
|
davidsarah
|
defect
|
major
|
soon
|
#822 |
Web API should use a more reliable, out-of-band means of reporting errors (such as a server connection being lost) during a download
|
new
|
|
defect
|
major
|
soon
|
#823 |
WUI server should have a disallow-all robots.txt
|
new
|
|
defect
|
major
|
undecided
|
#824 |
WUI pages lack correct XHTML 1.0 Transitional declarations
|
assigned
|
daira
|
defect
|
normal
|
soon
|
#826 |
Rename action in WUI has no confirmation for clobbering another entry
|
new
|
|
defect
|
major
|
soon
|
#827 |
Put file download links ('?save=true') in WUI directory listings
|
assigned
|
davidsarah
|
defect
|
major
|
soon
|
#857 |
Make operation-handle-querying use only a little memory
|
new
|
nobody
|
defect
|
major
|
undecided
|
#884 |
give nice error page when URL is mangled or from the future
|
assigned
|
davidsarah
|
defect
|
major
|
soon
|
#885 |
Ignore space or %20 in webapi URLs
|
assigned
|
davidsarah
|
defect
|
major
|
soon
|
#891 |
web gateway memory grows without bound under load
|
new
|
warner
|
defect
|
critical
|
soon
|
#903 |
webapi t=mkdir-with-children and mkdir-immutable: behavior when directory already exists?
|
new
|
|
defect
|
minor
|
eventually
|
#906 |
ETag support for mutable files and directories
|
new
|
|
defect
|
major
|
undecided
|
#907 |
Stop caps from leaking to phishing-filter servers
|
assigned
|
davidsarah
|
defect
|
minor
|
eventually
|
#918 |
Abstraction violations in web/info.py
|
assigned
|
davidsarah
|
defect
|
minor
|
eventually
|
#920 |
mkdir-immutable probably shouldn't implicitly create (mutable) intermediate directories
|
new
|
|
defect
|
minor
|
eventually
|
#922 |
The URL of the info page for an unknown dirnode should not grant authority to the containing directory
|
assigned
|
davidsarah
|
defect
|
major
|
soon
|
#951 |
uploads aren't cancelled by closing the web page
|
assigned
|
zooko
|
defect
|
major
|
undecided
|
#970 |
webapi PUT via multiple nodes can cause directory corruption but does not report UncoordinatedWriteError
|
new
|
nobody
|
defect
|
minor
|
undecided
|
#975 |
results of deep-size should include mutable files
|
new
|
|
defect
|
major
|
soon
|
#976 |
status of mutable file retrieve gives less information than an immutable download
|
new
|
|
defect
|
minor
|
undecided
|
#979 |
AssertionError on DELETE when child links point to yourself
|
new
|
|
defect
|
major
|
soon
|
#995 |
It's way too easy to give away write directory caps
|
new
|
nobody
|
defect
|
major
|
undecided
|
#997 |
The webapi/WUI should have https enabled by default
|
new
|
nobody
|
defect
|
major
|
undecided
|
#1008 |
Unhandled error conditions disclose detailed information
|
new
|
|
defect
|
major
|
eventually
|
#1141 |
Cannot Delete Or Rename Files/Directories With Wacky Names
|
assigned
|
davidsarah
|
defect
|
major
|
soon
|
#1142 |
Unlikely XSS Potential in File Names in WUI
|
new
|
nobody
|
defect
|
major
|
undecided
|
#1144 |
Loopy/Uninhibited/Overlarge Filename Makes Web Server Crump
|
new
|
nobody
|
defect
|
major
|
undecided
|
#1171 |
add regression test for shnums: "e,r,r,o,r"
|
reopened
|
warner
|
defect
|
normal
|
soon
|
#1173 |
cancelled downloads are marked incorrectly on the Recent Uploads/Downloads page
|
assigned
|
zooko
|
defect
|
major
|
soon
|
#1176 |
webapi should avoid using plaintext temporary file for uploads
|
new
|
|
defect
|
major
|
soon
|
#1198 |
Bogus tub location causes introducer error
|
new
|
|
defect
|
major
|
soon
|
#1203 |
/storage is insufficiently verbose when no crawl running
|
new
|
nobody
|
defect
|
normal
|
eventually
|
#1221 |
operation stats are not sufficient to understand what's wrong
|
new
|
|
defect
|
major
|
undecided
|
#1234 |
UnrecoverableFileError message should say which file it refers to
|
assigned
|
davidsarah
|
defect
|
major
|
soon
|
#1265 |
New Visualizer is insufficiently labelled/documented (plus layout problem)
|
assigned
|
zooko
|
defect
|
major
|
soon
|
#1369 |
allow static HTML files to be transcluded into WUI Welcome and directory listing pages
|
new
|
|
defect
|
major
|
undecided
|
#1375 |
the performance stats for each upload or download are undiscoverable
|
new
|
tarcieri
|
defect
|
normal
|
undecided
|
#1386 |
KeyError: 'file' if the local file is removed after selection and before Submit
|
new
|
daira
|
defect
|
normal
|
soon
|
#1434 |
DYHB requests misrendered in download visualization
|
new
|
warner
|
defect
|
major
|
soon
|
#1436 |
web interface using wrong address / port number when doing ssh port forwarding
|
new
|
|
defect
|
major
|
soon
|
#1462 |
add legend to Recent Uploads and Downloads page, explain LIT
|
new
|
T_X
|
defect
|
major
|
soon
|
#1485 |
web-API: POSTs and GETs should be to distinct URLs
|
assigned
|
davidsarah
|
defect
|
major
|
eventually
|
#1492 |
introducer status page is ugly
|
new
|
|
defect
|
normal
|
soon
|
#1502 |
WUI: make type field more regular, and show SDMF vs MDMF
|
new
|
|
defect
|
major
|
soon
|
#1551 |
WUI: the Upload results page should have both view and download links
|
new
|
|
defect
|
major
|
eventually
|
#1560 |
POST /uri?t=upload should give Upload Results consistently (even mutable)
|
new
|
|
defect
|
minor
|
eventually
|
#1639 |
'Return to file/directory' link from file check results gives an error
|
assigned
|
davidsarah
|
defect
|
major
|
soon
|
#1649 |
WUI: the error message page for a writeable file/directory nonobviously includes the write cap
|
assigned
|
davidsarah
|
defect
|
major
|
undecided
|
#1664 |
webapi fails to handle all TCP disconnects: "Request.finish called on a request after its connection was lost; use Request.notifyFinish to keep track of this."
|
new
|
nobody
|
defect
|
major
|
soon
|
#1666 |
test that an upload with no Content-Length (and not chunked) gives HTTP 411 Length Required
|
new
|
|
defect
|
normal
|
soon
|
#1706 |
The "Report!" button in the "Report an Incident" form field redirects to a misleading/incomplete message
|
new
|
zancas
|
defect
|
normal
|
undecided
|
#1726 |
new visualizer needs labels with units
|
new
|
warner
|
defect
|
normal
|
soon
|
#1727 |
New Visualizer has layout bug where serverids and other things scribble over each other
|
new
|
warner
|
defect
|
normal
|
soon
|
#1764 |
tahoe webapi gives HTTP 410 Gone for files that may actually come back
|
new
|
ChosenOne
|
defect
|
normal
|
soon
|
#1774 |
exception in twistd.log from web parser
|
new
|
|
defect
|
minor
|
undecided
|
#1797 |
WUI: view content in an HTML5 sandboxed iframe
|
new
|
|
defect
|
major
|
soon
|
#1798 |
Segregate gateway HTTP ports: one for raw bytes and one for generated WUI pages
|
new
|
freddyb
|
defect
|
major
|
soon
|
#1799 |
Document how to distinguish exceptions from JSON, or encode exceptions as JSON
|
new
|
|
defect
|
normal
|
undecided
|
#1809 |
WUI: upload to directory fails due to no file name
|
new
|
|
defect
|
normal
|
undecided
|
#1846 |
add "started" timestamp on the current operations on Recent Uploads and Downloads
|
new
|
|
defect
|
normal
|
undecided
|
#1859 |
Proof-of-concept attack: Upload and execute attacker controlled js from any domain.
|
new
|
davidsarah
|
defect
|
major
|
undecided
|
#1889 |
allmydata.mutable.common.NotEnoughServersError does not produce a "humanized" failure message
|
new
|
|
defect
|
normal
|
soon
|
#1895 |
implement replace=false for file upload into a mutable directory
|
new
|
davidsarah
|
defect
|
normal
|
undecided
|
#1898 |
deep check on a non-directory gives unhelpful "400 Bad Request" error
|
assigned
|
davidsarah
|
defect
|
normal
|
soon
|
#1899 |
make reported max-mutable-share-size have the same semantics as max-immutable-share-size
|
new
|
|
defect
|
normal
|
soon
|
#1902 |
WUI: "Download a file" should error on directory
|
assigned
|
Lcstyle
|
defect
|
normal
|
soon
|
#1904 |
filenames leak into log files from rename (and other web-API operations that take filenames)
|
new
|
|
defect
|
major
|
undecided
|
#1914 |
tahoe check reports incorrect encoding
|
new
|
|
defect
|
normal
|
undecided
|
#1928 |
web redirects should use relative URLs
|
assigned
|
davidsarah
|
defect
|
normal
|
soon
|
#1930 |
should ?t=rename be deprecated in favour of ?t=move ?
|
new
|
|
defect
|
normal
|
soon
|
#1931 |
WUI: niggles in the new Welcome page
|
new
|
daira
|
defect
|
normal
|
soon
|
#1967 |
make new WUI work on phone
|
new
|
|
defect
|
normal
|
undecided
|
#2070 |
WUI: what's the difference between "Immutable" and "SDMF"?
|
new
|
|
defect
|
normal
|
undecided
|
#2093 |
State-mutating GET methods in webapi.
|
new
|
daira
|
defect
|
normal
|
undecided
|
#2125 |
don't cache failures!
|
new
|
|
defect
|
major
|
undecided
|
#2126 |
send application/json content-type for JSON response
|
new
|
|
defect
|
normal
|
undecided
|
#2136 |
Use Content-Security-Policy to harden the WUI
|
new
|
daira
|
defect
|
normal
|
undecided
|
#2302 |
update the Content-Disposition and filename stuff for modern standards and practice
|
new
|
|
defect
|
normal
|
soon
|
#2401 |
authentication via proxy breaks "tahoe backup"
|
new
|
|
defect
|
normal
|
soon
|
#2532 |
storage server running 1.10.2 shows 2^64 bytes available to clients
|
new
|
|
defect
|
normal
|
undecided
|
#2590 |
GET /operations/$HANDLE?output=json is not JSON
|
new
|
|
defect
|
normal
|
undecided
|
#2716 |
Exception on WUI
|
new
|
|
defect
|
normal
|
undecided
|