Opened at 2012-04-14T21:11:37Z
Last modified at 2016-04-28T07:44:45Z
#1720 closed defect
privacy leak because web.static does not exist — at Version 5
| Reported by: | jg71 | Owned by: | davidsarah |
|---|---|---|---|
| Priority: | normal | Milestone: | 1.12.0 |
| Component: | code-frontend-web | Version: | 1.9.1 |
| Keywords: | privacy anonymity easy | Cc: | |
| Launchpad Bug: |
Description (last modified by warner)
when a client/node is created, in tahoe.cfg "web.static = public_html" is enabled by default, but public_html is not created. Thus, surfing to http://localhost:3456/static/ leaks
a) the absolute path of where web.static is expected to be b) the python version used c) maybe which OS is used
solution: don't enable web.static by default, or create public_html directory during client/node creation
Change History (5)
comment:1 Changed at 2012-04-14T21:19:15Z by nejucomo
comment:2 Changed at 2012-04-14T21:21:31Z by nejucomo
Note: I created a lafs-rpg issue that is related to this: https://bitbucket.org/nejucomo/lafs-rpg/issue/6/replace-stack-trace-responses-with-generic
comment:3 Changed at 2012-04-15T01:24:08Z by davidsarah
- Component changed from unknown to code-frontend-web
- Keywords changed from privacy,easy to privacy easy
This is a special case of #1008 (although the expected path of public_html would be leaked even if the exception report only showed the message and not the detailed traceback).
comment:4 Changed at 2012-04-15T01:26:36Z by davidsarah
- Keywords anonymity added
comment:5 Changed at 2015-06-18T17:40:55Z by warner
- Description modified (diff)
- Summary changed from privacy leak to privacy leak because web.static does not exist
This issue is relevant when an operator wishes to provide web gateway access to untrusted users will limiting their own risk. This is not a use case that the web gateway was designed for, but several users have requested this use case.