View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0006944 | Taler | documentation | public | 2021-07-23 13:26 | 2021-08-24 16:22 |
| Reporter | Christian Grothoff | Assigned To | ttn | ||
| Priority | normal | Severity | text | Reproducibility | N/A |
| Status | closed | Resolution | fixed | ||
| Platform | i7 | OS | Debian GNU/Linux | OS Version | squeeze |
| Product Version | git (master) | ||||
| Target Version | 0.8 | Fixed in Version | 0.8 | ||
| Summary | 0006944: document that API leaks instance existence | ||||
| Description | The merchant backend manual (somewhere around instance management) should explain that the API does leak the _existence_ of instances, that is unauthorized users can tell an instance does not exist (HTTP 404) vs. they do not have access (HTTP 403). This information leak was deemed acceptable (by the team in the security workshop) to allow users to diagnose errors, but should be stated explicitly somewhere in the manual. | ||||
| Tags | No tags attached. | ||||
|
|
Are the security workshop proceedings online? It would be nice to link to it saying that this concern is deemed minor. |
|
|
(See also: <https://git.taler.net/docs.git/commit/?id=ea3a137a097c03c8b4877a855197797d61c882d4>.) |
|
|
There is no really usable report from the workshop, but the participants clearly concluded that while we should make users aware that this bit of information is leaked, this is still a good trade-off as in general the diagnostic value of the distinction for trouble-shooting outweighs the information leak. Furthermore, it should be noted that a reverse proxy could be easily used to plug the information leak by changing 404s to 403 in deployments where this is found to be an issue. |
|
|
See <https://git.taler.net/docs.git/commit/?id=552ceeb3e5fef9f50d0d8f1173f8d0c80636288d>. I suppose a lame way out would be to link to generic nginx or apache documentation. I would prefer that we add a small bit to each server's config example. We can always add more links once there is more text supporting those links. |
|
|
Rats. Mantis has trouble w/ trailing close-angle-bracket in hyperlinks, it seems. Here it is DIRECT! :-D https://git.taler.net/docs.git/commit/?id=552ceeb3e5fef9f50d0d8f1173f8d0c80636288d |
|
|
https://stackoverflow.com/questions/41560084/how-to-change-the-status-code-of-a-proxied-server-response-in-nginx |
|
|
https://www.nginx.com/blog/creating-nginx-rewrite-rules/ |
|
|
https://nginx.org/en/docs/http/ngx_http_core_module.html#error_page#content |
|
|
Recent commit: https://git.taler.net/docs.git/commit/?id=247fb8bc2d639b6d9361c58639fd855acf861393 |
|
|
https://docs.trafficserver.apache.org/en/latest/admin-guide/plugin/header_rewrite.en.html?highlight=connection%20close%20drain |
|
|
Nginx and Apache experts, please take a look: https://git.taler.net/docs.git/commit/?id=c9d5fdc5c70091c88134536435553bb5a0f3743f |
|
|
Fix looks good to me. ;-) |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2021-07-23 13:26 | Christian Grothoff | New Issue | |
| 2021-07-23 13:26 | Christian Grothoff | Status | new => assigned |
| 2021-07-23 13:26 | Christian Grothoff | Assigned To | => ttn |
| 2021-08-11 05:08 | ttn | Note Added: 0018094 | |
| 2021-08-11 05:09 | ttn | Note Added: 0018095 | |
| 2021-08-11 09:15 | Christian Grothoff | Note Added: 0018097 | |
| 2021-08-11 12:02 | ttn | Note Added: 0018100 | |
| 2021-08-11 12:06 | ttn | Note Added: 0018101 | |
| 2021-08-11 12:25 | ttn | Note Added: 0018102 | |
| 2021-08-11 12:28 | ttn | Note Added: 0018103 | |
| 2021-08-11 12:47 | ttn | Note Added: 0018104 | |
| 2021-08-11 13:05 | ttn | Note Added: 0018105 | |
| 2021-08-11 13:17 | ttn | Note Added: 0018106 | |
| 2021-08-11 13:26 | ttn | Note Added: 0018107 | |
| 2021-08-11 13:27 | ttn | Status | assigned => confirmed |
| 2021-08-11 14:18 | Christian Grothoff | Note Added: 0018108 | |
| 2021-08-11 14:18 | Christian Grothoff | Status | confirmed => resolved |
| 2021-08-11 14:18 | Christian Grothoff | Resolution | open => fixed |
| 2021-08-11 14:18 | Christian Grothoff | Fixed in Version | => 0.8 |
| 2021-08-11 14:18 | Christian Grothoff | Target Version | => 0.8 |
| 2021-08-24 16:22 | Christian Grothoff | Status | resolved => closed |
