#674: controlled access to your WUI
-------------------------+--------------------------------------------------
Reporter: zooko | Owner: nobody
Type: enhancement | Status: new
Priority: major | Milestone: undecided
Component: unknown | Version: 1.3.0
Keywords: | Launchpad_bug:
-------------------------+--------------------------------------------------
Comment(by nejucomo):
I should have provided more details for my last post.
Javascript from the same origin should be able to grab the $WUI_SECRET
from its location (and may be able to grab it from another window even in
the scheme where the $WUI_SECRET is not present in retrieval URLs).
A same-origin CSRF that exploits the
"http://$host/$WUI_SECRET/uri/$FILE_READ_CAP"; url might be html containing
<img src="http://../../admin?delete_all_shared=true";>.
--
Ticket URL: <http://allmydata.org/trac/tahoe/ticket/674#comment:2>
tahoe-lafs <http://allmydata.org>
secure decentralized file storage grid
_______________________________________________
tahoe-dev mailing list
[email protected]
http://allmydata.org/cgi-bin/mailman/listinfo/tahoe-dev
