mirrors/git-annex
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions

correction of scope of security problem

Browse source 
AFAICS, it's not only affecting resumes, but any upload to a special remote
with chunking enabled.
This commit is contained in:
Joey Hess 2016-04-28 16:07:10 -04:00
parent b22409db38
commit 9c7e46c9c5
Failed to extract signature
2 changed files with 4 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

7
doc/bugs/External_special_remote_broken__63__/comment_1_904a186a6400506303cad772ac1a6751._comment
View file

@ -10,9 +10,6 @@ non-chunked form, since a remote can be reconfigured to add chunking.
So it's nothing to worry about.
The lack of encryption of the key when checking to resume is definitely a
bug. A bit of a security bug too, although it only happens when resuming
uploads. (I double checked the other operations and they all encrypt keys)
I suppose that if the server was hostile, it could randomly make
uploads fail, in order to get git-annex to expose content keys via
this bug when resuming.
bug. A bit of a security bug too.
(I double checked the other operations and they all encrypt keys)
"""]]