You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It is possible for a malicious client to construct an upload where the deletepassword
POSTed to the server is different from the one inside the encrypted metadata blob.
The idea is to proactively check whether a different delete password was included in the metadata, by calling an api-endpoint immediately after decoding the metadata blob.
As the current hushfile API.md mentions:
The idea is to proactively check whether a different delete password was included in the metadata, by calling an api-endpoint immediately after decoding the metadata blob.
Such a check would probably be fit to call in the try block here https://github.com/hushfile/hushfile-web/blob/master/hushfile-download.js#L23
It would also be nice with a notification saying "Warning: Delete password supplied is incorrect, possibly malicious file" or something like that.
The text was updated successfully, but these errors were encountered: