[tahoe-dev] [tahoe-lafs] #821: A script in a file viewed through the WUI can obtain the file's read cap

tahoe-lafs trac at allmydata.org
Wed Oct 28 04:03:18 UTC 2009


#821: A script in a file viewed through the WUI can obtain the file's read cap
-------------------------------+--------------------------------------------
 Reporter:  davidsarah         |           Owner:           
     Type:  defect             |          Status:  new      
 Priority:  major              |       Milestone:  undecided
Component:  code-frontend-web  |         Version:  1.5.0    
 Keywords:  newcaps security   |   Launchpad_bug:           
-------------------------------+--------------------------------------------
 http://allmydata.org/trac/tahoe/ticket/98#comment:22

 A script (such as JavaScript) in an [X]HTML file viewed through the WUI
 can obtain the read cap for that file. For an immutable file, this is not
 much of a problem because the script can read the contents of the file
 anyway. However, for a mutable file, it can also read any future version,
 which is a violation of the Principle of Least Authority.

-- 
Ticket URL: <http://allmydata.org/trac/tahoe/ticket/821>
tahoe-lafs <http://allmydata.org>
secure decentralized file storage grid


More information about the tahoe-dev mailing list