Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Connector 2.1: expose attachmentMode in saveItems #212

Closed
wants to merge 1 commit into from
Closed

Connector 2.1: expose attachmentMode in saveItems #212

wants to merge 1 commit into from

Conversation

alexeicolin
Copy link

This allows one to add files by path via the connector.

This is to support libnstzotero, a plugin for GNOME's nautilus-sendto (to be able to add PDFs directly to Zotero from e.g. evince).

If this patch is not accepted, then I'll have to extend the connector via an extension. That route seemed like overkill for just one flag. Thank you for your consideration.

Connector 2.1: expose attachmentMode in saveItems
4572786 
This allows one to add files by path via the connector.
@simonster
Copy link
Member

Because this endpoint is accessible to the bookmarklet, this functionality would mean that granting a website read access to your Zotero library via the Zotero API is equivalent to granting said website read access to your hard drive, which is bad. It could also have security implications on a multi-user system if the Zotero Standalone data directory is readable by other users.

I think this would be safe against the former attack if you created a separate method without permitBookmarklet set, although I need to think more. You could also use Zotero.IPC.Pipe.initPipeListener(nsIFile, fn) to create a named pipe, which would let you make write access to the pipe accessible only to the user running Zotero and also allow you to integrate with Zotero for Firefox, which doesn't currently run the connector HTTP server.

@alexeicolin
Copy link
Author

Thank you for taking a look:

On 12/19/2012 07:42 PM, Simon Kornblith wrote:

Because this endpoint is accessible to the bookmarklet, this
functionality would mean that granting a website read access to your
Zotero library via the Zotero API is equivalent to granting said
website read access to your hard drive, which is bad.
Wait, to take a step back: by "this functionality" are you referring to
the patch or to the HTTP connector server in general?

I thought the patch only affects the source alone (ie. where the pdf
comes from: without the patch: remote URL, with the patch: remote URL or
local path). Without the patch, whoever has access to the connector
could cause a file to be downloaded and added to the library, with the
patch that whoever could also cause a file from a local path added to
the library. Does this introduce new security issues? Please help me
understand. Thank you.

@simonster
Copy link
Member

Without this patch, no one can add files to your library without already being able to access those files themselves. With this patch, someone could.

@alexeicolin
Copy link
Author

On 12/19/2012 11:13 PM, Simon Kornblith wrote:

Without this patch, no one can add files to your library without
already being able to access those files themselves. With this patch,
someone could.
Understood. Thanks. Read local file system by 'piping' it through Zotero
library.

Ok, forget this PR then. I'll look into the pipe you mentioned.

@simonster simonster closed this Dec 20, 2012
tnajdek pushed a commit to tnajdek/zotero that referenced this pull request Jan 25, 2024
@AbeJellinek @dstillman
RTL: Flip search icons
b2fa2dc 
Fixes zotero#212
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@alexeicolin @simonster