[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Monotone-devel] monotone / indefero: information disclosure

From: Thomas Keller
Subject: [Monotone-devel] monotone / indefero: information disclosure
Date: Tue, 26 Apr 2011 14:36:31 +0200
User-agent: Mozilla/5.0 (X11; U; Linux i686; de; rv: Gecko/20110303 Lightning/1.0b3pre Thunderbird/3.1.9

Hi all!

Indefero's monotone plugin might disclose private key information when
Indefero's debug output is switched on.

Since monotone's frontend needs its own private key to authenticate
against a running server, this key is created on-the-fly when a new
project is created, added to the monotone instance and saved in the
project configuration for later usage.

Now when _any_ kind of exception triggers Pluf's error handler, the
current IDF_Project instance is dumped together with the said private
key data that are read from IDF's database.

Therefor please consider to disable Pluf's debug output when you run an
IDF instance with monotone support in production until I found a better
way to handle the frontend authentication issue. You can do this by setting

   $cfg['debug'] = false;

in your src/IDF/conf/idf.php.

Many thanks go to Frère Sébastien Marie <address@hidden> who
pointed me at this issue.


GPG-Key 0x160D1092 | address@hidden |
Please note that according to the EU law on data retention, information
on every electronic information exchange might be retained for a period
of six months or longer:

Attachment: signature.asc
Description: OpenPGP digital signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]