commit ea3a137a097c03c8b4877a855197797d61c882d4 parent 32b310e90e3ebdf8df2fd161f954f574aa62aae9 Author: Thien-Thi Nguyen <ttn@gnuvola.org> Date: Tue, 10 Aug 2021 23:01:34 -0400 add note in instance setup section re instance existence leak Diffstat:
| M | taler-merchant-manual.rst | | | 6 | ++++++ |
1 file changed, 6 insertions(+), 0 deletions(-)
diff --git a/taler-merchant-manual.rst b/taler-merchant-manual.rst @@ -773,6 +773,12 @@ similar to the ``root`` account on UNIX. The following documentation shows how to handle any instance, so you should read it twice, first creating the ``default`` instance, then creating normal ones. +.. note:: + A security concern is that instance existence is leaked by normal API usage. + This means unauthorized users can distinguish between the case where the + instance does not exist (HTTP 404) and the case where access is denied + (HTTP 403). + KUDOS Accounts --------------