[tahoe-dev] [tahoe-lafs] #127: Cap URLs leaked via HTTP Referer header (was: smaller CSRF attack still possible)

tahoe-lafs trac at allmydata.org
Wed Oct 28 06:25:20 UTC 2009


#127: Cap URLs leaked via HTTP Referer header
-------------------------------+--------------------------------------------
 Reporter:  warner             |           Owner:           
     Type:  defect             |          Status:  new      
 Priority:  major              |       Milestone:  undecided
Component:  code-frontend-web  |         Version:  0.7.0    
 Keywords:  security           |   Launchpad_bug:           
-------------------------------+--------------------------------------------
Changes (by davidsarah):

  * keywords:  => security
  * priority:  minor => major


Comment:

 This attack isn't CSRF; changing the summary accordingly.

 If you like this bug, you might also like #615 and #821 :-)

 (#821 is about leaking the URL to scripts in the file itself, #615 is
 about leaking it to other pages.)

-- 
Ticket URL: <http://allmydata.org/trac/tahoe/ticket/127#comment:12>
tahoe-lafs <http://allmydata.org>
secure decentralized file storage grid


More information about the tahoe-dev mailing list