-
-See also cautions.rst_.
+.. -*- coding: utf-8-with-signature -*-
-.. _cautions.rst: file:cautions.rst
+See also `cautions.rst`_.
+
+.. _cautions.rst: cautions.rst
============
Known Issues
.. _the "historical known issues" document: historical/historical_known_issues.txt
-Known Issues in Tahoe-LAFS v1.9.2, released 3-Jul-2012
-======================================================
+Known Issues in Tahoe-LAFS v1.10.2, released 30-Jul-2015
+========================================================
* `Unauthorized access by JavaScript in unrelated files`_
* `Disclosure of file through embedded hyperlinks or JavaScript in that file`_
for "map-update" operations (which occur when mutable files, including
directories, are read or written). This page contains per-server response
times, as lines of text, and includes an image which displays the response
-times in graphical form. The image is generated by constructing a URL for the
-`Google Chart API <https://developers.google.com/chart/image/>`_, which is
-then served by the `chart.apis.google.com` internet server.
+times in graphical form. The image is generated by constructing a URL for
+the `Google Chart API`_, which is then served by the `chart.apis.google.com`
+internet server.
+
+.. _Google Chart API: https://developers.google.com/chart/image/
When you view this page, several parties may learn information about your
Tahoe activities. The request will typically include a "Referer" header,
even for SVG images).
In addition, if your Tahoe node connects to its grid over Tor or i2p, but the
-web browser you use to access it does not, then this image link may reveal
-your use of Tahoe to the outside world. It is not recommended to use a
-browser in this way, because other links in Tahoe-stored content would reveal
-even more information (e.g. an attacker could store an HTML file with unique
-CSS references into a shared Tahoe grid, then send your pseudonym a message
-with its URI, then observe your browser loading that CSS file, and thus link
-the source IP address of your web client to that pseudonym).
+web browser you use to access your node does not, then this image link may
+reveal your use of Tahoe (and that grid) to the outside world. It is not
+recommended to use a browser in this way, because other links in Tahoe-stored
+content would reveal even more information (e.g. an attacker could store an
+HTML file with unique CSS references into a shared Tahoe grid, then send your
+pseudonym a message with its URI, then observe your browser loading that CSS
+file, and thus link the source IP address of your web client to that
+pseudonym).
A future version of Tahoe will probably replace the Google Chart API link
(which was deprecated by Google in April 2012) with client-side javascript
could write the corrupted data back into place, making the damage
persistent)
-
-.. _#1654: https://tahoe-lafs.org/trac/tahoe-lafs/ticket/1654
-
----
Known Issues in Tahoe-LAFS v1.8.2, released 30-Jan-2011
projects / tahoe-lafs / tahoe-lafs.git / blobdiff