Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

implement a callback checking for malicious delete password #5

Closed
ptrf opened this issue Jul 23, 2013 · 1 comment
Closed

implement a callback checking for malicious delete password #5

ptrf opened this issue Jul 23, 2013 · 1 comment
Labels
invalid

Comments

@ptrf
Copy link

ptrf commented Jul 23, 2013

As the current hushfile API.md mentions:

It is possible for a malicious client to construct an upload where the deletepassword
POSTed to the server is different from the one inside the encrypted metadata blob.

The idea is to proactively check whether a different delete password was included in the metadata, by calling an api-endpoint immediately after decoding the metadata blob.

Such a check would probably be fit to call in the try block here https://github.com/hushfile/hushfile-web/blob/master/hushfile-download.js#L23

It would also be nice with a notification saying "Warning: Delete password supplied is incorrect, possibly malicious file" or something like that.
@ptrf ptrf mentioned this issue Jul 23, 2013
Open
@rlindsgaard
Copy link
Member

Invalid due to new API spec. See documentation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
invalid
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rlindsgaard @ptrf