diff options
| author | vg <vgm+dev@devys.org> | 2020-06-22 17:41:04 +0200 |
|---|---|---|
| committer | vg <vgm+dev@devys.org> | 2020-06-22 17:41:04 +0200 |
| commit | b8b321c4d56f737b8b52f92cc611f0b4d348fc8f (patch) | |
| tree | 4a98b574572b6bbac17a09681b3d1aa5989e27a9 | |
| parent | 23d126fda90141d802b58d4fa4fa866a90f6b7ef (diff) | |
| download | shareit-b8b321c4d56f737b8b52f92cc611f0b4d348fc8f.tar.gz shareit-b8b321c4d56f737b8b52f92cc611f0b4d348fc8f.tar.bz2 shareit-b8b321c4d56f737b8b52f92cc611f0b4d348fc8f.zip | |
document limitations
| -rw-r--r-- | readme.rst | 19 |
1 files changed, 19 insertions, 0 deletions
@@ -39,6 +39,25 @@ inside shareit directory: The service can be run as a python wsgi service. I tested it under uwsgi. +Limitations +=========== + +Hashes are currently md5 of the content of the file: + +- It is possible to change the file content but having its md5 unchanged. This + can be used to maliciously put a compromised file in place of the original + one. + +- It is possible to change the file name by just downloading the file, and + reuploading it with another name. + +Both risks can be mitigated by protecting upload side with a password in the +webserver configuration. + +It is possible to do better, but my instance has its upload side protected by +a password, thus I'm not in a hurry and I'm open to pull requests if you have +suggestions. + License ======= |