From 3f336160682a1bc8951b50d5c37f23f0d34a3091 Mon Sep 17 00:00:00 2001
From: Joey Hess <joeyh@joeyh.name>
Date: Wed, 29 May 2024 22:55:06 -0400
Subject: [PATCH] security

---
 doc/todo/annex_url_redirects.mdwn | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/doc/todo/annex_url_redirects.mdwn b/doc/todo/annex_url_redirects.mdwn
index 13da557ad9..9749f8ceb5 100644
--- a/doc/todo/annex_url_redirects.mdwn
+++ b/doc/todo/annex_url_redirects.mdwn
@@ -4,3 +4,16 @@ short url
 How about supporting an url like "annex::https://example.com/foo",
 where the http url redirects to the full annex url. Then any url
 shortener can be used. --[[Joey]]
+
+> This might be a security problem. An arbitrary annex:: url can access an
+> arbitrary resource. Eg, it might be a directory special remote, using any
+> directory on the user's computer, and they won't know if it's hidden
+> behind a http redirect.
+> 
+> Perhaps that could be dealt with by displaying information about the
+> special remote and prompting if it's ok to use. But users generally
+> say "yes" without thinking.
+> 
+> Perhaps it could be limited to safe special remotes. httpalso is surely
+> safe in this context. Would anything else be? Any external special
+> remotes? --[[Joey]]