diff options
author | Thien-Thi Nguyen <ttn@gnuvola.org> | 2021-08-10 23:01:34 -0400 |
---|---|---|
committer | Thien-Thi Nguyen <ttn@gnuvola.org> | 2021-08-10 23:01:34 -0400 |
commit | ea3a137a097c03c8b4877a855197797d61c882d4 (patch) | |
tree | b594a435a0e1c533f8c11702d86870aea0b78424 /taler-merchant-manual.rst | |
parent | 32b310e90e3ebdf8df2fd161f954f574aa62aae9 (diff) | |
download | docs-ea3a137a097c03c8b4877a855197797d61c882d4.tar.gz docs-ea3a137a097c03c8b4877a855197797d61c882d4.tar.bz2 docs-ea3a137a097c03c8b4877a855197797d61c882d4.zip |
add note in instance setup section re instance existence leak
Diffstat (limited to 'taler-merchant-manual.rst')
-rw-r--r-- | taler-merchant-manual.rst | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/taler-merchant-manual.rst b/taler-merchant-manual.rst index 1cc59261..4a9fd7a5 100644 --- a/taler-merchant-manual.rst +++ b/taler-merchant-manual.rst @@ -773,6 +773,12 @@ similar to the ``root`` account on UNIX. The following documentation shows how to handle any instance, so you should read it twice, first creating the ``default`` instance, then creating normal ones. +.. note:: + A security concern is that instance existence is leaked by normal API usage. + This means unauthorized users can distinguish between the case where the + instance does not exist (HTTP 404) and the case where access is denied + (HTTP 403). + KUDOS Accounts -------------- |