mirrors/git-annex
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

security

Browse source
This commit is contained in:
Joey Hess 2024-05-29 22:55:06 -04:00
parent efa684ab8a
commit 3f33616068
No known key found for this signature in database
GPG key ID: DB12DB0FF05F8F38
1 changed files with 13 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
doc/todo/annex_url_redirects.mdwn
View file

@ -4,3 +4,16 @@ short url
How about supporting an url like "annex::https://example.com/foo", How about supporting an url like "annex::https://example.com/foo",
where the http url redirects to the full annex url. Then any url where the http url redirects to the full annex url. Then any url
shortener can be used. --[[Joey]] shortener can be used. --[[Joey]]
> This might be a security problem. An arbitrary annex:: url can access an
> arbitrary resource. Eg, it might be a directory special remote, using any
> directory on the user's computer, and they won't know if it's hidden
> behind a http redirect.
>
> Perhaps that could be dealt with by displaying information about the
> special remote and prompting if it's ok to use. But users generally
> say "yes" without thinking.
>
> Perhaps it could be limited to safe special remotes. httpalso is surely
> safe in this context. Would anything else be? Any external special
> remotes? --[[Joey]]