W3C home > Mailing lists > Public > public-ldp@w3.org > January 2015

POSTing to LDPC and security

From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Fri, 30 Jan 2015 12:32:22 +0100
Message-ID: <CAKaEYhL2hKBXf-yAtU-9akn_8ZXpRbD9j5FwSGpQWj_XzQPj6w@mail.gmail.com>
To: public-ldp@w3.org
I'm using an LDPC as a webized version of a UNIX file system

What I do is POST to an LDPC and look for the location field after creating
a resource

Then I add an ACL file to control access

However I realized there is a short window where the file might not have
the access control I want.  An attacker could subscribe to the container
for notifications then intercept the message creating a race condition

In the UNIX world inodes and files are closely coupled so the operation is
atomic, this is not true in HTTP

Maybe a better idea would be to use the UNIX equivalent of a umask to set
default permissions

Any thoughts on this?
Received on Friday, 30 January 2015 11:32:49 UTC

This archive was generated by hypermail 2.3.1 : Friday, 30 January 2015 11:32:50 UTC