[tahoe-dev] [tahoe-lafs] #674: controlled access to your WUI

tahoe-lafs trac at allmydata.org
Tue Apr 28 04:15:29 UTC 2009


#674: controlled access to your WUI
-------------------------+--------------------------------------------------
 Reporter:  zooko        |           Owner:  nobody   
     Type:  enhancement  |          Status:  new      
 Priority:  major        |       Milestone:  undecided
Component:  unknown      |         Version:  1.3.0    
 Keywords:               |   Launchpad_bug:           
-------------------------+--------------------------------------------------

Comment(by nejucomo):

 I should have provided more details for my last post.

 Javascript from the same origin should be able to grab the $WUI_SECRET
 from its location (and may be able to grab it from another window even in
 the scheme where the $WUI_SECRET is not present in retrieval URLs).

 A same-origin CSRF that exploits the
 "http://$host/$WUI_SECRET/uri/$FILE_READ_CAP" url might be html containing
 <img src="http://../../admin?delete_all_shared=true">.

-- 
Ticket URL: <http://allmydata.org/trac/tahoe/ticket/674#comment:2>
tahoe-lafs <http://allmydata.org>
secure decentralized file storage grid


More information about the tahoe-dev mailing list