[tahoe-dev] [tahoe-lafs] #674: controlled access to your WUI

tahoe-lafs trac at allmydata.org
Fri Apr 3 15:56:17 UTC 2009

#674: controlled access to your WUI
 Reporter:  zooko        |           Owner:  nobody   
     Type:  enhancement  |          Status:  new      
 Priority:  major        |       Milestone:  undecided
Component:  unknown      |         Version:  1.3.0    
 Keywords:               |   Launchpad_bug:           
 Currently the Welcome Page of the WUI is reachable without knowing any
 secret, for example, this one: http://testgrid.allmydata.org:3567 .   (If
 you configure your WUI to listen for connections only from localhost then
 that prevents people from connecting to it from other hosts, but it
 doesn't prevent CSRF attacks in which someone posts a web page to Tahoe,
 and when you view that page with JavaScript enabled, or click on a button
 on that page, then it accesses your WUI.)

 It would be good to have a page which is access-controlled by use of a
 secret capability even though it isn't specific to a file or directory.
 The entire Welcome Page might belong no that Access Controlled Welcome
 Page, or maybe only the sensitive pieces would go onto the Access
 Controlled Welcome Page.

 As an example (this might or might not be a good idea), the Access
 Controlled Welcome Page could have a log of the caps of all of your recent

Ticket URL: <http://allmydata.org/trac/tahoe/ticket/674>
tahoe-lafs <http://allmydata.org>
secure decentralized file storage grid

More information about the tahoe-dev mailing list