ExternalVendorCode/tahoe-lafs
1
0
Fork 0
mirror of https://github.com/tahoe-lafs/tahoe-lafs.git synced 2024-12-19 04:57:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

docs/known_issues.rst: describe when the unauthorized access attack is known to be possible, and fix a link.

Browse Source
This commit is contained in:
david-sarah 2011-11-18 00:20:13 +00:00
parent ce8d40f31b
commit b73aba98de
1 changed files with 11 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
docs/known_issues.rst
View File

@ -17,8 +17,8 @@ want to read `the "historical known issues" document`_.
Known Issues in Tahoe-LAFS v1.9.0, released 31-Oct-2011
=======================================================
* `Potential unauthorized access by JavaScript in unrelated files`_
* `Potential disclosure of file through embedded hyperlinks or JavaScript in that file`_
* `Unauthorized access by JavaScript in unrelated files`_
* `Disclosure of file through embedded hyperlinks or JavaScript in that file`_
* `Command-line arguments are leaked to other local users`_
* `Capabilities may be leaked to web browser phishing filter / "safe browsing" servers`_
* `Known issues in the FTP and SFTP frontends`_
@ -27,7 +27,7 @@ Known Issues in Tahoe-LAFS v1.9.0, released 31-Oct-2011
----
Unauthorized access by JavaScript in unrelated files
--------------------------------------------------------------
----------------------------------------------------
If you view a file stored in Tahoe-LAFS through a web user interface,
JavaScript embedded in that file can, in some circumstances, access other
@ -37,6 +37,12 @@ those other files or directories to the author of the script, and if you
have the ability to modify the contents of those files or directories,
then that script could modify or delete those files or directories.
This attack is known to be possible when an attacking tab or window could
reach a tab or window containing a Tahoe URI by navigating back or forward
in the history, either from itself or from any frame with a known name (as
specified by the "target" attribute of an HTML link). It might be possible
in other cases depending on the browser.
*how to manage it*
For future versions of Tahoe-LAFS, we are considering ways to close off
@ -53,8 +59,8 @@ malicious JavaScript.
----
Potential disclosure of file through embedded hyperlinks or JavaScript in that file
-----------------------------------------------------------------------------------
Disclosure of file through embedded hyperlinks or JavaScript in that file
-------------------------------------------------------------------------
If there is a file stored on a Tahoe-LAFS storage grid, and that file
gets downloaded and displayed in a web browser, then JavaScript or