mirror of
https://github.com/tahoe-lafs/tahoe-lafs.git
synced 2024-12-24 15:16:41 +00:00
doc_reformat_known_issues.txt
- Added heading format begining and ending by "==" - Added Index - Added Title Note: No change are made in paragraphs content
This commit is contained in:
parent
c221ebff45
commit
3af24d051d
@ -1,5 +1,18 @@
|
|||||||
= Known Issues =
|
= Known Issues =
|
||||||
|
|
||||||
|
1. Overview
|
||||||
|
2. Issues in Tahoe-LAFS v1.6.0, released 2010-02-01
|
||||||
|
2.1. Potential unauthorized access by JavaScript in unrelated files
|
||||||
|
2.1.1. How to manage it
|
||||||
|
2.2. Potential disclosure of file through embedded hyperlinks or JavaScript in that file
|
||||||
|
2.2.1. How to manage it
|
||||||
|
2.3. Command-line arguments are leaked to other local users
|
||||||
|
2.3.1. How to manage it
|
||||||
|
2.4. Capabilities may be leaked to web browser phishing filter servers
|
||||||
|
2.4.1. How to manage it
|
||||||
|
|
||||||
|
== Overview ==
|
||||||
|
|
||||||
Below is a list of known issues in recent releases of Tahoe-LAFS, and how to
|
Below is a list of known issues in recent releases of Tahoe-LAFS, and how to
|
||||||
manage them. The current version of this file can be found at
|
manage them. The current version of this file can be found at
|
||||||
|
|
||||||
@ -11,9 +24,9 @@ want to read the "historical known issues" document:
|
|||||||
|
|
||||||
http://allmydata.org/source/tahoe/trunk/docs/historical/historical_known_issues.txt
|
http://allmydata.org/source/tahoe/trunk/docs/historical/historical_known_issues.txt
|
||||||
|
|
||||||
== issues in Tahoe-LAFS v1.6.0, released 2010-02-01 ==
|
== Issues in Tahoe-LAFS v1.6.0, released 2010-02-01 ==
|
||||||
|
|
||||||
=== potential unauthorized access by JavaScript in unrelated files ===
|
=== Potential unauthorized access by JavaScript in unrelated files ===
|
||||||
|
|
||||||
If you view a file stored in Tahoe-LAFS through a web user interface,
|
If you view a file stored in Tahoe-LAFS through a web user interface,
|
||||||
JavaScript embedded in that file might be able to access other files or
|
JavaScript embedded in that file might be able to access other files or
|
||||||
@ -23,7 +36,7 @@ those other files or directories to the author of the script, and if you
|
|||||||
have the ability to modify the contents of those files or directories,
|
have the ability to modify the contents of those files or directories,
|
||||||
then that script could modify or delete those files or directories.
|
then that script could modify or delete those files or directories.
|
||||||
|
|
||||||
==== how to manage it ====
|
==== How to manage it ====
|
||||||
|
|
||||||
For future versions of Tahoe-LAFS, we are considering ways to close off
|
For future versions of Tahoe-LAFS, we are considering ways to close off
|
||||||
this leakage of authority while preserving ease of use -- the discussion
|
this leakage of authority while preserving ease of use -- the discussion
|
||||||
@ -35,8 +48,7 @@ doing so, or limit your viewing to files which you know don't contain
|
|||||||
malicious JavaScript.
|
malicious JavaScript.
|
||||||
|
|
||||||
|
|
||||||
=== potential disclosure of file through embedded
|
=== Potential disclosure of file through embedded hyperlinks or JavaScript in that file ===
|
||||||
hyperlinks or JavaScript in that file ===
|
|
||||||
|
|
||||||
If there is a file stored on a Tahoe-LAFS storage grid, and that file
|
If there is a file stored on a Tahoe-LAFS storage grid, and that file
|
||||||
gets downloaded and displayed in a web browser, then JavaScript or
|
gets downloaded and displayed in a web browser, then JavaScript or
|
||||||
@ -52,7 +64,7 @@ file. Note that IMG tags are typically followed automatically by web
|
|||||||
browsers, so being careful which hyperlinks you click on is not
|
browsers, so being careful which hyperlinks you click on is not
|
||||||
sufficient to prevent this from happening.
|
sufficient to prevent this from happening.
|
||||||
|
|
||||||
==== how to manage it ====
|
==== How to manage it ====
|
||||||
|
|
||||||
For future versions of Tahoe-LAFS, we are considering ways to close off
|
For future versions of Tahoe-LAFS, we are considering ways to close off
|
||||||
this leakage of authority while preserving ease of use -- the discussion
|
this leakage of authority while preserving ease of use -- the discussion
|
||||||
@ -65,7 +77,7 @@ and remove any JavaScript unless you are sure that the JavaScript is not
|
|||||||
written to maliciously leak access.
|
written to maliciously leak access.
|
||||||
|
|
||||||
|
|
||||||
=== command-line arguments are leaked to other local users ===
|
=== Command-line arguments are leaked to other local users ===
|
||||||
|
|
||||||
Remember that command-line arguments are visible to other users (through
|
Remember that command-line arguments are visible to other users (through
|
||||||
the 'ps' command, or the windows Process Explorer tool), so if you are
|
the 'ps' command, or the windows Process Explorer tool), so if you are
|
||||||
@ -74,7 +86,7 @@ be able to see (and copy) any caps that you pass as command-line
|
|||||||
arguments. This includes directory caps that you set up with the "tahoe
|
arguments. This includes directory caps that you set up with the "tahoe
|
||||||
add-alias" command. Use "tahoe create-alias" for that purpose instead.
|
add-alias" command. Use "tahoe create-alias" for that purpose instead.
|
||||||
|
|
||||||
==== how to manage it ====
|
==== How to manage it ====
|
||||||
|
|
||||||
Bypass add-alias and edit the NODEDIR/private/aliases file directly, by
|
Bypass add-alias and edit the NODEDIR/private/aliases file directly, by
|
||||||
adding a line like this:
|
adding a line like this:
|
||||||
@ -91,7 +103,7 @@ access to your files and directories. Starting in Tahoe-LAFS v1.3.0,
|
|||||||
there is a "tahoe create-alias" command that does this for you.
|
there is a "tahoe create-alias" command that does this for you.
|
||||||
|
|
||||||
|
|
||||||
=== capabilities may be leaked to web browser phishing filter servers ===
|
=== Capabilities may be leaked to web browser phishing filter servers ===
|
||||||
|
|
||||||
Internet Explorer includes a "phishing filter", which is turned on by
|
Internet Explorer includes a "phishing filter", which is turned on by
|
||||||
default, and which sends any URLs that it deems suspicious to a central
|
default, and which sends any URLs that it deems suspicious to a central
|
||||||
@ -109,7 +121,7 @@ has such a facility enabled by default (Opera has one that is disabled by
|
|||||||
default). Firefox briefly included a phishing filter in previous versions,
|
default). Firefox briefly included a phishing filter in previous versions,
|
||||||
but abandoned it.
|
but abandoned it.
|
||||||
|
|
||||||
==== how to manage it ====
|
==== How to manage it ====
|
||||||
|
|
||||||
If you use Internet Explorer's phishing filter or a similar add-on
|
If you use Internet Explorer's phishing filter or a similar add-on
|
||||||
for another browser, consider either disabling it, or not using the WUI
|
for another browser, consider either disabling it, or not using the WUI
|
||||||
|
Loading…
Reference in New Issue
Block a user