Untrusted device should be disallowed from being an introducer #8920
Labels
bug
A problem with current functionality, as opposed to missing functionality (enhancement)
Milestone
A vulnerability report was submitted to the effect that the
untrusted
flag doesn't properly prevent combining withintroducer
, thus allowing the supposedly untrusted device to introduce trusted devices into the cluster and causing a data leak. Since this is a misconfiguration that needs to happen on the trusted side, I decided it's low impact enough to be published as a public issue while we're fixing it.This may also apply to other settings, such as auto-accepting folders which makes no sense from an untrusted device.
Originally reported by @vibs29
The text was updated successfully, but these errors were encountered: