Credentials embedded in destination URLs exposed in the dashboard #5
Comments
|
I'm not sure I would go on to call this a security vulnerability. FTS openly claims whatever is in the URL is treated as public data. FTS is also protocol agnostic (for the better part), so it won't treat an The actual storage interaction is delegated to the Gfal2 library. Here, there is a mechanism to configure a username/password credential for FTP protocol. Perhaps you're asking for a feature that doesn't exist yet in FTS: identify and extract user credentials from URL at submission time. |
|
Salut Mihai, I tried to transfer to a FTP server using FTS, and it does not work unless the FTP server accepts anonymous operations (this is indeed a feature request, but I will create another issue for it). I do not know of any other mechanism to supply the credentials for these FTP destinations than to embed them in the URL. I understand FTS has this disclaimer that whatever is in the URL is treated as public data. But if FTP is to be supported, this has to change. Cele bune, |
If I create a transfer where the destination URLs include a username/password (e.g.
ftp:https://username:[email protected]/path/file.zip) then the credentials are exposed in the FTS dashboard, as the full URL is shown there. The dashboard must strip the credentials from the URLs. This is a very serious security vulnerability.@mpatrascoiu
The text was updated successfully, but these errors were encountered: