[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
HEADS UP: Scripts accessing tarsnap account management interface
Hi all,
This only affects a small proportion of tarsnap users, but a couple people
have tripped over it already so I thought I should send out a heads-up email
just in case.
If you have code which automatically fetches /manage.cgi with your login
credentials, you may need to update it. Requests which do not have an
"action" specified will now receive an HTTP 302 redirect to a GET; if your
code does not follow redirects or discards cookies between requests then it
will fail.
Logging in using a web browser is not affected, since web browsers should
handle the redirect and cookies properly. Requests which have an "action"
parameter (e.g., to download usage records in CSV format) are also not
affected. I believe the most common affected use case is for scraping the
account balance from the interface.
(The reason for this change was so that web browsers will keep a GET in their
history rather than a POSTed form.)
--
Colin Percival
Security Officer Emeritus, FreeBSD | The power to serve
Founder, Tarsnap | www.tarsnap.com | Online backups for the truly paranoid