[aj-code]

This has some fairly serious security issues, which is fine for a something not designed to be seriously used (or at all). However, the readme implies you could use this and your files will be safer than with some third party. Which is dangerous, to say the least.

I'll outline a few obvious issues I see:

- No explicit protection against directory traversal attacks (../../etc/passwd type stuff) on upload and download.

- Shell command injection on the file name on upload.

- Naive authentication. - Unsalted, fast hash sent in the URL. - Password stored in clear text server side.

- No transport security (HTTPS).

This is cool as a interesting project to work on, but it should be made clear not to use this for anything just yet.

[JshWright]

>- Naive authentication. - Unsalted, fast hash sent in the URL. - Password stored in clear text server side.

I don't understand the point of hashing the password in the client anyway... The hash is as good as the password to an attacker.

[aj-code]

Sure is!

It would be possible to use a challenge response authentication scheme (http://en.wikipedia.org/wiki/Challenge%E2%80%93response_auth...) but just doing things over HTTPS is generally fine.

[max0035]

You have to realize this is a very early release! The first working release! I Didn't take anything else into consideration, but I will. Thanks for the comment :D