security
This commit is contained in:
Joey Hess
parent
efa684ab8a
commit
3f33616068
1 changed files with 13 additions and 0 deletions
|
|
@ -4,3 +4,16 @@ short url
|
|||
How about supporting an url like "annex::https://example.com/foo",
|
||||
where the http url redirects to the full annex url. Then any url
|
||||
shortener can be used. --[[Joey]]
|
||||
|
||||
> This might be a security problem. An arbitrary annex:: url can access an
|
||||
> arbitrary resource. Eg, it might be a directory special remote, using any
|
||||
> directory on the user's computer, and they won't know if it's hidden
|
||||
> behind a http redirect.
|
||||
>
|
||||
> Perhaps that could be dealt with by displaying information about the
|
||||
> special remote and prompting if it's ok to use. But users generally
|
||||
> say "yes" without thinking.
|
||||
>
|
||||
> Perhaps it could be limited to safe special remotes. httpalso is surely
|
||||
> safe in this context. Would anything else be? Any external special
|
||||
> remotes? --[[Joey]]
|
||||
|
|
|
|||
Loading…
Reference in a new issue