TheArchive/tailscale
1
0
Fork 0
mirror of https://github.com/tailscale/tailscale.git synced 2025-12-12 00:52:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

drive: use secret token to authenticate access to file server on localhost

Browse Source 
This prevents Mark-of-the-Web bypass attacks in case someone visits the
localhost WebDAV server directly.

Fixes tailscale/corp#19592

Signed-off-by: Percy Wegmann <percy@tailscale.com>
This commit is contained in:
Percy Wegmann
2024-05-01 15:57:06 -05:00
committed by Percy Wegmann
parent 3349e86c0a
commit 07e783c7be
2 changed files with 33 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
drive/driveimpl/drive_test.go
View File

@@ -131,7 +131,11 @@ func TestSecretTokenAuth(t *testing.T) {
Transport: &http.Transport{DisableKeepAlives: true},
}
addr := strings.Split(fileserverAddr, "|")[1]
u := fmt.Sprintf("http://%s/%s/%s", addr, "fakesecret", url.PathEscape(file111))
wrongSecret, err := generateSecretToken()
if err != nil {
t.Fatal(err)
}
u := fmt.Sprintf("http://%s/%s/%s", addr, wrongSecret, url.PathEscape(file111))
resp, err := client.Get(u)
if err != nil {
t.Fatal(err)