From b8b321c4d56f737b8b52f92cc611f0b4d348fc8f Mon Sep 17 00:00:00 2001
From: vg <vgm+dev@devys.org>
Date: Mon, 22 Jun 2020 17:41:04 +0200
Subject: document limitations

---
 readme.rst | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/readme.rst b/readme.rst
index 5c96c8a..a7108bc 100644
--- a/readme.rst
+++ b/readme.rst
@@ -39,6 +39,25 @@ inside shareit directory:
 
 The service can be run as a python wsgi service. I tested it under uwsgi.
 
+Limitations
+===========
+
+Hashes are currently md5 of the content of the file:
+
+- It is possible to change the file content but having its md5 unchanged. This
+  can be used to maliciously put a compromised file in place of the original
+  one.
+
+- It is possible to change the file name by just downloading the file, and
+  reuploading it with another name.
+
+Both risks can be mitigated by protecting upload side with a password in the
+webserver configuration.
+
+It is possible to do better, but my instance has its upload side protected by
+a password, thus I'm not in a hurry and I'm open to pull requests if you have
+suggestions.
+
 License
 =======
 
-- 
cgit v1.2.3