So one can "inject" files in somebody else's repository?

sfera · June 6, 2014, 1:35pm

The following was tested on two of my computers:

Install syncthing (v0.8.13) instances on different machines: MachineA, MachineB.

Create a repository named “documents” on MachineA, restart syncthing on MachineA. Create a repository named “documents” on MachineB, restart syncthing on MachineB.

Add node of MachineB to syncthing on MachineA. Restart syncthing on MachineA. Add node of MachineA (NodeA) to syncthing on MachineB. Restart syncthing on MachineB. Enable syncing of repository “documents” on MachineB with NodeA. Restart syncthing on MachineB.

Create a file in repository “documents” on MachineB. Give it time to sync. The file is synced with repository “documents” on MachineA.

The repository “documents” is not shared at this point with any node, still files appear in it. So by “guessing” share names one could push files to other (users’) unshared repositiories? I suppose that this behavior could propagate over several nodes.

Is this behavior intended by design?

calmh · June 6, 2014, 5:02pm

No, this is a bug. MachineB announces the index for “documents”, and although MachineA does not share “documents” with B it accepts the index and processes it. This is a side effect of relaxing the security for issue 223.

It should be fixed. Do you mind filing a bug?

sfera · June 6, 2014, 5:24pm

thanks for the quick reply. i created issue #342 the content is pretty much the same as the one posted here. please feel free to correct as necessary

calmh · June 6, 2014, 8:07pm

Thanks. Fixed, will be in the next release.