[tahoe-dev] [tahoe-lafs] #674: controlled access to your WUI
tahoe-lafs
trac at allmydata.org
Fri Apr 3 08:56:17 PDT 2009
#674: controlled access to your WUI
-------------------------+--------------------------------------------------
Reporter: zooko | Owner: nobody
Type: enhancement | Status: new
Priority: major | Milestone: undecided
Component: unknown | Version: 1.3.0
Keywords: | Launchpad_bug:
-------------------------+--------------------------------------------------
Currently the Welcome Page of the WUI is reachable without knowing any
secret, for example, this one: http://testgrid.allmydata.org:3567 . (If
you configure your WUI to listen for connections only from localhost then
that prevents people from connecting to it from other hosts, but it
doesn't prevent CSRF attacks in which someone posts a web page to Tahoe,
and when you view that page with JavaScript enabled, or click on a button
on that page, then it accesses your WUI.)
It would be good to have a page which is access-controlled by use of a
secret capability even though it isn't specific to a file or directory.
The entire Welcome Page might belong no that Access Controlled Welcome
Page, or maybe only the sensitive pieces would go onto the Access
Controlled Welcome Page.
As an example (this might or might not be a good idea), the Access
Controlled Welcome Page could have a log of the caps of all of your recent
uploads/downloads.
--
Ticket URL: <http://allmydata.org/trac/tahoe/ticket/674>
tahoe-lafs <http://allmydata.org>
secure decentralized file storage grid
More information about the tahoe-dev
mailing list