/samiz-dat

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[security] Don't automatically download changes to libraries #20

Closed
equivalentideas opened this Issue Sep 28, 2017 · 4 comments

Comments

Assignees
No one assigned
Labels
Projects
None yet
Milestone
No milestone
2 participants
@equivalentideas @e-e-e
@equivalentideas

equivalentideas commented Sep 28, 2017

After selecting 'Download entire library' for a new library, when a new book was added to that library, it was automatically downloaded to my computer. This means the library owner can put any file they like on my computer.

That's a security problem for me, because while I trust the person who gave me the key for the library, I don't know if they're the owner and I don't know who the owner is. I can't trust this person I don't know to not use this as an attack, e.g. to send files to my computer that could put me in trouble with da law, plant evidence, etc. .
@equivalentideas

This comment has been minimized.

Show comment
Hide comment
@equivalentideas

equivalentideas Sep 28, 2017

There's also no obvious way I can close this connection as a user.

equivalentideas commented Sep 28, 2017

There's also no obvious way I can close this connection as a user.

@e-e-e e-e-e added help wanted high priority labels Sep 28, 2017

@e-e-e

This comment has been minimized.

Show comment
Hide comment
@e-e-e

e-e-e Sep 28, 2017

Member

Thanks @equivalentideas. This happens because after selecting download the entire library it keeps the connection open. For now if you close and reopen dat library after downloading everything, it will reopen in sparse mode and only download the metadata that is freshly added.
We will fix this so that after downloading everything the dat is placed into sparse mode again.
Thanks for discovering this!
Member

e-e-e commented Sep 28, 2017

Thanks @equivalentideas. This happens because after selecting download the entire library it keeps the connection open. For now if you close and reopen dat library after downloading everything, it will reopen in sparse mode and only download the metadata that is freshly added.
We will fix this so that after downloading everything the dat is placed into sparse mode again.
Thanks for discovering this!
@e-e-e

This comment has been minimized.

Show comment
Hide comment
@e-e-e

e-e-e Oct 1, 2017

Member

@equivalentideas I have opened a pr here mafintosh/hyperdrive@3c17e09 which should hopefully expose an interface in hyperdrive to solve this issue.
Member

e-e-e commented Oct 1, 2017

@equivalentideas I have opened a pr here mafintosh/hyperdrive@3c17e09 which should hopefully expose an interface in hyperdrive to solve this issue.

e-e-e added a commit to samiz-dat/dat-cardcat that referenced this issue Oct 22, 2017

@e-e-e
fix security issue samiz-dat/samiz-dat#20
31551b6
@e-e-e

This comment has been minimized.

Show comment
Hide comment
@e-e-e

e-e-e Oct 22, 2017

Member

This is fixed in this commit - samiz-dat/dat-cardcat@31551b6

Will be release with the next version of dat-library.
Member

e-e-e commented Oct 22, 2017

This is fixed in this commit - samiz-dat/dat-cardcat@31551b6

Will be release with the next version of dat-library.

@e-e-e e-e-e closed this Oct 22, 2017

@e-e-e e-e-e removed the help wanted label Oct 23, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment