| 7 | | Nathan Wilcox has discovered that the new web API in allmydata-tahoe |
| 8 | | version 0.5 is vulnerable to XSRF attack. An XSRF -- or "Cross-Site |
| 9 | | Reference Forgery" attack -- is one in which an attacker creates an |
| 10 | | innocuous-looking hyperlink, and if a user clicks on that hyperlink |
| 11 | | then it causes deletion or theft of the user's data. We are working |
| 12 | | on a fix for this problem, and in the meantime if you have stored any |
| 13 | | private or precious data on a tahoe grid, then you can make sure that |
| 14 | | you are not exposed to this threat by shutting down your tahoe node |
| 15 | | before browsing the web. |
| | 7 | This fixes a security flaw in Tahoe v0.5.0. |
| 17 | | You can read more about the attack and our fix in the mailing list archves: |
| 18 | | |
| 19 | | http://allmydata.org/pipermail/tahoe-dev/ |
| 20 | | |
| 21 | | and in this bug tracker ticket: |
| 22 | | |
| 23 | | http://allmydata.org/trac/tahoe/ticket/98 |
| 24 | | |
| 25 | | === 2007-08-17 -- Allmydata Tahoe v0.5 released! === |
| 26 | | |
| 27 | | This version adds a RESTful API allowing you to program your Tahoe node in the language of your choice, as well as a command-line API in the Unix style, and some performance improvements. |
| 28 | | |
| 29 | | Please see [source:relnotes.txt@1129 the Release Notes]. |
| | 9 | Please see [source:relnotes.txt@1154 the Release Notes]. |
