Opened at 2008-04-12T06:21:05Z

Closed at 2012-05-13T02:22:12Z

Last modified at 2012-05-16T22:55:55Z

#380 closed defect (fixed)

webapi: remove 'mkdir-p' API since it logs pathnames

Reported by: warner Owned by: warner
Priority: major Milestone: 1.9.2
Component: code-frontend-web Version: 1.0.0
Keywords: privacy docs logging news Cc:
Launchpad Bug:

Description

We did a pass through the HTTP logging in webish.py to make sure that no pathnames or other sensitive data is recorded in the logs. The mkdir-p call got added after this pass, and needs to be fixed to not record that information.

Attachments (1)

remove-mkdir-p.darcs.patch (18.5 KB) - added by davidsarah at 2011-07-22T23:41:41Z.
Remove undocumented t=mkdir-p API. fixes #380

Download all attachments as: .zip

Change History (16)

comment:1 Changed at 2008-04-25T00:21:36Z by warner

Changing the API to be POST /uri/$ROOT/path/to/be/made?t=mkdir would take care of this automatically, since we currently censor everything between /uri and the question mark. But I think the current API is more like POST /uri/$ROOT?t=mkdir-p&path=/path/to/be/made.

comment:2 Changed at 2008-05-05T21:08:36Z by zooko

  • Milestone changed from 1.0.1 to 1.1.0

Milestone 1.0.1 deleted

comment:3 Changed at 2008-05-29T22:29:35Z by warner

  • Milestone changed from 1.1.0 to 1.2.0

comment:4 Changed at 2008-05-30T02:09:55Z by warner

  • Summary changed from webapi 'mkdir-p' calls should not log pathnames to webapi: remove 'mkdir-p' API since it logs pathnames

I added the new API: POST /uri/$ROOT/path/to/be/made?t=mkdir . I think the only user of the old API is the allmydata migration process, so once that is complete we can remove the t=mkdir-p API and documentation altogether.

comment:5 Changed at 2009-06-30T12:39:44Z by zooko

  • Milestone changed from 1.5.0 to eventually

comment:6 Changed at 2010-01-07T01:07:07Z by davidsarah

  • Keywords privacy docs added

comment:7 Changed at 2010-10-23T00:46:23Z by davidsarah

  • Keywords logging added

Changed at 2011-07-22T23:41:41Z by davidsarah

Remove undocumented t=mkdir-p API. fixes #380

comment:8 Changed at 2011-07-22T23:42:56Z by davidsarah

  • Keywords review-needed added
  • Milestone changed from eventually to soon
  • Owner set to warner

comment:9 Changed at 2011-08-02T00:22:25Z by davidsarah

  • Keywords news added

Proposed NEWS: 

- The unused ?t=mkdir-p operation has been removed from the web-API.
  (`#380`_)

comment:10 Changed at 2012-05-13T02:22:12Z by Brian Warner <warner@…>

  • Resolution set to fixed
  • Status changed from new to closed

In eb2a4ef24611f3bc:

(The changeset message doesn't reference this ticket)

comment:11 Changed at 2012-05-13T02:22:49Z by Brian Warner <warner@…>

In eb2a4ef24611f3bc:

webapi: remove undocumented t=mkdir-p operation

Closes #380

comment:12 Changed at 2012-05-13T02:23:51Z by warner

  • Keywords review-needed removed
  • Milestone changed from soon to 1.10.0

code has landed, ticket closed!

comment:13 Changed at 2012-05-16T22:38:03Z by zooko

  • Milestone changed from 1.10.0 to 1.9.2

I reviewed eb2a4ef24611f3bc and didn't see any problem with it.

comment:14 Changed at 2012-05-16T22:38:16Z by zooko

  • Milestone changed from 1.9.2 to 1.10.0

comment:15 Changed at 2012-05-16T22:55:55Z by davidsarah

  • Milestone changed from 1.10.0 to 1.9.2

This API is removed on the 1.9.2 branch: [5462/1.9.2]. Since there are no references to it in the source or docs and since we don't want to encourage its use, I decided this was safe even for a point release.

Note: See TracTickets for help on using tickets.