Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix upload authentication vulnerability #8

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

fix upload authentication vulnerability #8

wants to merge 4 commits into from

Conversation

abraxxa
Copy link

@abraxxa abraxxa commented May 6, 2020

No description provided.

@shadowcat-mst
Copy link
Owner

(1) calling this a vulnerability is an error since the documentation is currently clear that it's designed to provide a single password that functions as a shared secret - "authentication improvement" would be a better description IMO (and I'm fine with the ensuing compat breakage provided we detect the old-style auth tokens and barf)
(2) it'd be nice to at least support sha-style htpasswd entries and provide a CLI example of how to generate one of those
(3) there should likely be a command for generating the b64 version or at least an example of how to use an external unix tool to do so

General shape of the PR seems fine at a first look though, the above is all arguably details

@abraxxa
Fix upload argument name in docsFix upload argument name in docsfix u…
fbf1080 
…pload argument name in docs
@abraxxa
Fix upload authentication vulnerability
317ba64 
only checked password, not username
This required to change the OPAN_AUTH_TOKENS, see the docs for detailsFix upload authentication vulnerability only checked password, not username This required to change the OPAN_AUTH_TOKENS, see the docs for detailsfix upload authentication vulnerability

only checked password, not username

This required to change the OPAN_AUTH_TOKENS, see the docs for details
@abraxxa
add curl upload example
62ca7f7
@abraxxa abraxxa force-pushed the master branch 2 times, most recently from db48e41 to 26992f9 Compare March 1, 2021 15:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@abraxxa @shadowcat-mst