Sat Apr 24 13:41:18 Paris, Madrid (heure d'été) 2010 freestorm77@gmail.com * doc_reformat_known_issues.txt - Added heading format begining and ending by "==" - Added Index - Added Title Note: No change are made in paragraphs content New patches: [doc_reformat_known_issues.txt freestorm77@gmail.com**20100424114118 Ignore-this: 9577c3965d77b7ac18698988cfa06049 - Added heading format begining and ending by "==" - Added Index - Added Title Note: No change are made in paragraphs content ] { hunk ./docs/known_issues.txt 3 = Known Issues = +1. Overview +2. Issues in Tahoe-LAFS v1.6.0, released 2010-02-01 + 2.1. Potential unauthorized access by JavaScript in unrelated files + 2.1.1. How to manage it + 2.2. Potential disclosure of file through embedded hyperlinks or JavaScript in that file + 2.2.1. How to manage it + 2.3. Command-line arguments are leaked to other local users + 2.3.1. How to manage it + 2.4. Capabilities may be leaked to web browser phishing filter servers + 2.4.1. How to manage it + +== Overview == + Below is a list of known issues in recent releases of Tahoe-LAFS, and how to manage them. The current version of this file can be found at hunk ./docs/known_issues.txt 27 http://allmydata.org/source/tahoe/trunk/docs/historical/historical_known_issues.txt -== issues in Tahoe-LAFS v1.6.0, released 2010-02-01 == +== Issues in Tahoe-LAFS v1.6.0, released 2010-02-01 == hunk ./docs/known_issues.txt 29 -=== potential unauthorized access by JavaScript in unrelated files === +=== Potential unauthorized access by JavaScript in unrelated files === If you view a file stored in Tahoe-LAFS through a web user interface, JavaScript embedded in that file might be able to access other files or hunk ./docs/known_issues.txt 39 have the ability to modify the contents of those files or directories, then that script could modify or delete those files or directories. -==== how to manage it ==== +==== How to manage it ==== For future versions of Tahoe-LAFS, we are considering ways to close off this leakage of authority while preserving ease of use -- the discussion hunk ./docs/known_issues.txt 51 malicious JavaScript. -=== potential disclosure of file through embedded -hyperlinks or JavaScript in that file === +=== Potential disclosure of file through embedded hyperlinks or JavaScript in that file === If there is a file stored on a Tahoe-LAFS storage grid, and that file gets downloaded and displayed in a web browser, then JavaScript or hunk ./docs/known_issues.txt 67 browsers, so being careful which hyperlinks you click on is not sufficient to prevent this from happening. -==== how to manage it ==== +==== How to manage it ==== For future versions of Tahoe-LAFS, we are considering ways to close off this leakage of authority while preserving ease of use -- the discussion hunk ./docs/known_issues.txt 80 written to maliciously leak access. -=== command-line arguments are leaked to other local users === +=== Command-line arguments are leaked to other local users === Remember that command-line arguments are visible to other users (through the 'ps' command, or the windows Process Explorer tool), so if you are hunk ./docs/known_issues.txt 89 arguments. This includes directory caps that you set up with the "tahoe add-alias" command. Use "tahoe create-alias" for that purpose instead. -==== how to manage it ==== +==== How to manage it ==== Bypass add-alias and edit the NODEDIR/private/aliases file directly, by adding a line like this: hunk ./docs/known_issues.txt 106 there is a "tahoe create-alias" command that does this for you. -=== capabilities may be leaked to web browser phishing filter servers === +=== Capabilities may be leaked to web browser phishing filter servers === Internet Explorer includes a "phishing filter", which is turned on by default, and which sends any URLs that it deems suspicious to a central hunk ./docs/known_issues.txt 124 default). Firefox briefly included a phishing filter in previous versions, but abandoned it. -==== how to manage it ==== +==== How to manage it ==== If you use Internet Explorer's phishing filter or a similar add-on for another browser, consider either disabling it, or not using the WUI } Context: [docs: install.html http-equiv refresh to quickstart.html zooko@zooko.com**20100421165708 Ignore-this: 52b4b619f9dde5886ae2cd7f1f3b734b ] [docs: install.html -> quickstart.html zooko@zooko.com**20100421155757 Ignore-this: 6084e203909306bed93efb09d0e6181d It is not called "installing" because that implies that it is going to change the configuration of your operating system. It is not called "building" because that implies that you need developer tools like a compiler. Also I added a stern warning against looking at the "InstallDetails" wiki page, which I have renamed to "AdvancedInstall". ] [Fix another typo in tahoe_storagespace munin plugin david-sarah@jacaranda.org**20100416220935 Ignore-this: ad1f7aa66b554174f91dfb2b7a3ea5f3 ] [Add dependency on windmill >= 1.3 david-sarah@jacaranda.org**20100416190404 Ignore-this: 4437a7a464e92d6c9012926b18676211 ] [licensing: phrase the OpenSSL-exemption in the vocabulary of copyright instead of computer technology, and replicate the exemption from the GPL to the TGPPL zooko@zooko.com**20100414232521 Ignore-this: a5494b2f582a295544c6cad3f245e91 ] [munin-tahoe_storagespace freestorm77@gmail.com**20100221203626 Ignore-this: 14d6d6a587afe1f8883152bf2e46b4aa Plugin configuration rename ] [setup: add licensing declaration for setuptools (noticed by the FSF compliance folks) zooko@zooko.com**20100309184415 Ignore-this: 2dfa7d812d65fec7c72ddbf0de609ccb ] [setup: fix error in licensing declaration from Shawn Willden, as noted by the FSF compliance division zooko@zooko.com**20100309163736 Ignore-this: c0623d27e469799d86cabf67921a13f8 ] [CREDITS to Jacob Appelbaum zooko@zooko.com**20100304015616 Ignore-this: 70db493abbc23968fcc8db93f386ea54 ] [desert-island-build-with-proper-versions jacob@appelbaum.net**20100304013858] [docs: a few small edits to try to guide newcomers through the docs zooko@zooko.com**20100303231902 Ignore-this: a6aab44f5bf5ad97ea73e6976bc4042d These edits were suggested by my watching over Jake Appelbaum's shoulder as he completely ignored/skipped/missed install.html and also as he decided that debian.txt wouldn't help him with basic installation. Then I threw in a few docs edits that have been sitting around in my sandbox asking to be committed for months. ] [TAG allmydata-tahoe-1.6.1 david-sarah@jacaranda.org**20100228062314 Ignore-this: eb5f03ada8ea953ee7780e7fe068539 ] Patch bundle hash: fdd36f7db5f759ac536ab740fc019360d83bbba2