The URL of the info page for an unknown dirnode should not grant authority to the containing directory

[davidsarah]

For known cap types, the URL of the info page for a dirnode is specific to that directory entry, and does not grant any authority to the containing directory. This is as it should be.

For unknown caps, however, the URL of the info page does include the directory readcap (see the comment at source:src/allmydata/web/directory.py#737​).

This grants excess authority -- a user might reasonably expect that info pages do not grant authority to read their containing directory, and it is surprising that this happens only for unknown nodes.

We could still display both the writecap and readcap URIs of the unknown dirnode, by stuffing both of them into the info page URL.

[davidsarah]

Note that this is quite difficult to reproduce at the moment because an UnknownNode is not allowed to be stored in a directory by a Tahoe 1.5 or earlier client. Tahoe 1.6 clients (if we finish and review #833 in time, which we're still on course to do) will allow storing unknown nodes. It's quite unlikely that they will be stored accidentally, though, because you will need to submit a JSON body containing an unknown cap (the operations that take a cap in the URL cannot be used for this).

I don't think this is sufficient reason to change the plan to allow adding unknown nodes to directories, because leakage of the directory readcap already happens in other (more likely) cases when you share a file URL that is relative to a directory.