aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--readme.rst19
1 files changed, 19 insertions, 0 deletions
diff --git a/readme.rst b/readme.rst
index 5c96c8a..a7108bc 100644
--- a/readme.rst
+++ b/readme.rst
@@ -39,6 +39,25 @@ inside shareit directory:
The service can be run as a python wsgi service. I tested it under uwsgi.
+Limitations
+===========
+
+Hashes are currently md5 of the content of the file:
+
+- It is possible to change the file content but having its md5 unchanged. This
+ can be used to maliciously put a compromised file in place of the original
+ one.
+
+- It is possible to change the file name by just downloading the file, and
+ reuploading it with another name.
+
+Both risks can be mitigated by protecting upload side with a password in the
+webserver configuration.
+
+It is possible to do better, but my instance has its upload side protected by
+a password, thus I'm not in a hurry and I'm open to pull requests if you have
+suggestions.
+
License
=======