[tahoe-dev] [tahoe-lafs] #821: A script in a file viewed through the WUI can obtain the file's read cap
tahoe-lafs
trac at allmydata.org
Wed Oct 28 06:08:49 UTC 2009
#821: A script in a file viewed through the WUI can obtain the file's read cap
-----------------------------------+----------------------------------------
Reporter: davidsarah | Owner:
Type: defect | Status: reopened
Priority: major | Milestone: undecided
Component: code-frontend-web | Version: 1.5.0
Resolution: | Keywords: newcaps security
Launchpad_bug: |
-----------------------------------+----------------------------------------
Changes (by davidsarah):
* status: closed => reopened
* resolution: duplicate =>
Comment:
It's not really a duplicate, because #615 is about scripts from one page
having access to other pages. If #615 were fixed, this issue would remain,
since it isn't dependent on the same-origin policy. That is, even if we
were to put every page in a different origin, a script would still be able
to access its ''own'' URL -- and therefore future versions of its file if
this bug is not fixed.
In a sense, #615 masks this bug, because it allows an attack that is a
superset of this one. So I think we should leave this ticket open and
reference it from #615.
--
Ticket URL: <http://allmydata.org/trac/tahoe/ticket/821#comment:3>
tahoe-lafs <http://allmydata.org>
secure decentralized file storage grid
More information about the tahoe-dev
mailing list