2008-06-10 23:24:25 +00:00
|
|
|
= Known Issues =
|
|
|
|
|
2008-12-30 07:52:26 +00:00
|
|
|
Below is a list of known issues in recent releases of Tahoe-LAFS, and how to
|
|
|
|
manage them. The current version of this file can be found at
|
2008-07-22 01:02:49 +00:00
|
|
|
|
|
|
|
http://allmydata.org/source/tahoe/trunk/docs/known_issues.txt
|
|
|
|
|
2008-12-30 07:52:26 +00:00
|
|
|
Older versions of this document describing issues in older versions of
|
|
|
|
Tahoe-LAFS can be found at
|
|
|
|
|
|
|
|
http://allmydata.org/source/tahoe/trunk/docs/historical/historical_known_issues.txt
|
2008-07-22 01:02:49 +00:00
|
|
|
|
2009-02-13 05:16:21 +00:00
|
|
|
== issues in Tahoe v1.3.0, released 2009-02-13 ==
|
2009-02-11 21:14:53 +00:00
|
|
|
|
|
|
|
|
2009-02-13 05:16:21 +00:00
|
|
|
=== potential unauthorized access by JavaScript in unrelated files ===
|
2009-02-11 21:14:53 +00:00
|
|
|
|
2009-02-13 05:16:21 +00:00
|
|
|
If you view a file stored in Tahoe through a web user interface,
|
|
|
|
JavaScript embedded in that file might be able to access other files or
|
|
|
|
directories stored in Tahoe which you view through the same web user
|
|
|
|
interface. Such a script would be able to send the contents of those
|
|
|
|
other files or directories to the author of the script, and if you have
|
|
|
|
the ability to modify the contents of those files or directories, then
|
|
|
|
that script could modify or delete those files or directories.
|
2009-02-11 21:14:53 +00:00
|
|
|
|
2009-02-13 05:16:21 +00:00
|
|
|
==== how to manage it ====
|
|
|
|
|
|
|
|
For future versions of Tahoe, we are considering ways to close off
|
|
|
|
this leakage of authority while preserving ease of use -- the
|
|
|
|
discussion of this issue is ticket #615.
|
2009-02-11 21:14:53 +00:00
|
|
|
|
2009-02-13 05:16:21 +00:00
|
|
|
For the present, either do not view files stored in Tahoe through a web
|
|
|
|
user interface, or turn off JavaScript in your web browser before doing
|
|
|
|
so, or limit your viewing to files which you know don't contain
|
|
|
|
malicious JavaScript.
|
2008-07-22 01:02:49 +00:00
|
|
|
|
2009-02-13 05:16:21 +00:00
|
|
|
|
|
|
|
=== potential disclosure of file through embedded
|
2008-12-30 08:01:16 +00:00
|
|
|
hyperlinks or JavaScript in that file ===
|
|
|
|
|
|
|
|
If there is a file stored on a Tahoe storage grid, and that file gets
|
|
|
|
downloaded and displayed in a web browser, then JavaScript or
|
|
|
|
hyperlinks within that file can leak the capability to that file to a
|
|
|
|
third party, which means that third party gets access to the file.
|
|
|
|
|
|
|
|
If there is JavaScript in the file, then it could deliberately leak
|
|
|
|
the capability to the file out to some remote listener.
|
|
|
|
|
|
|
|
If there are hyperlinks in the file, and they get followed, then
|
|
|
|
whichever server they point to receives the capability to the
|
|
|
|
file. Note that IMG tags are typically followed automatically by web
|
|
|
|
browsers, so being careful which hyperlinks you click on is not
|
|
|
|
sufficient to prevent this from happening.
|
|
|
|
|
|
|
|
==== how to manage it ====
|
|
|
|
|
|
|
|
For future versions of Tahoe, we are considering ways to close off
|
|
|
|
this leakage of authority while preserving ease of use -- the
|
|
|
|
discussion of this issue is ticket #127.
|
|
|
|
|
|
|
|
For the present, a good work-around is that if you want to store and
|
|
|
|
view a file on Tahoe and you want that file to remain private, then
|
|
|
|
remove from that file any hyperlinks pointing to other people's
|
|
|
|
servers and remove any JavaScript unless you are sure that the
|
|
|
|
JavaScript is not written to maliciously leak access.
|
|
|
|
|
|
|
|
|
2009-02-13 05:16:21 +00:00
|
|
|
=== command-line arguments are leaked to other local users ===
|
2008-07-22 01:02:49 +00:00
|
|
|
|
|
|
|
Remember that command-line arguments are visible to other users
|
|
|
|
(through the 'ps' command, or the windows Process Explorer tool), so
|
|
|
|
if you are using a Tahoe node on a shared host, other users on that
|
|
|
|
host will be able to see (and capture) any directory caps that you set
|
|
|
|
up with the "tahoe add-alias" command.
|
|
|
|
|
|
|
|
==== how to manage it ====
|
|
|
|
|
|
|
|
Bypass add-alias and edit the NODEDIR/private/aliases file directly,
|
|
|
|
by adding a line like this:
|
|
|
|
|
|
|
|
fun: URI:DIR2:ovjy4yhylqlfoqg2vcze36dhde:4d4f47qko2xm5g7osgo2yyidi5m4muyo2vjjy53q4vjju2u55mfa
|
|
|
|
|
|
|
|
By entering the dircap through the editor, the command-line arguments are
|
|
|
|
bypassed, and other users will not be able to see them. Once you've added the
|
|
|
|
alias, no other secrets are passed through the command line, so this
|
|
|
|
vulnerability becomes less significant: they can still see your filenames and
|
|
|
|
other arguments you type there, but not the caps that Tahoe uses to permit
|
2008-12-30 07:52:26 +00:00
|
|
|
access to your files and directories. In Tahoe v1.3.0, there is a new
|
|
|
|
"tahoe create-aliase" command that does this for you.
|