Opened at 2011-12-31T00:29:29Z
Last modified at 2013-09-14T17:40:28Z
#1649 assigned defect
WUI: the error message page for a writeable file/directory nonobviously includes the write cap
| Reported by: | davidsarah | Owned by: | davidsarah |
|---|---|---|---|
| Priority: | major | Milestone: | undecided |
| Component: | code-frontend-web | Version: | 1.9.0 |
| Keywords: | usability security capleak websec | Cc: | |
| Launchpad Bug: |
Description (last modified by zooko)
In the case of a directory, for example, the target URL of the 'More info on this directory' link includes the write cap. This is not excess authority because the 'More info' page itself includes the write cap and so needs to know it, however, it's not visually obvious that by sending someone just the HTML file of the error page, you are giving them the write cap.
(OTOH, I was prompted to file this ticket by someone who did exactly that and did understand that they were giving away the write cap.)
Change History (2)
comment:1 Changed at 2012-06-29T13:21:02Z by davidsarah
- Owner set to davidsarah
- Status changed from new to assigned
comment:2 Changed at 2013-09-14T17:40:28Z by zooko
- Description modified (diff)
- Keywords websec added
Note: See
TracTickets for help on using
tickets.
