Grouper Users - Open Discussion List

[Chris Hyzer <>]

> Is there any sensitive info that's revealed in debug mode? If not, then
> perhaps debug mode itself will scare off those that happen to find it
> but weren't seeking it.


Are you suggesting we don't protect it?  Web security principals suggest you 
should give users the least amount of information they need, including debug 
or error traces.  But anyways, without going into details of whether or not 
which parts of it are sensitive in a public forum, and before everyone is 
running on a copy of grouper which is protected, I suggest we protect in 
1.4.2.  I glanced at the data and don't see any glaring red flags.  Also, 
when programming webapps in java, it is an assumption of the developer that 
server-side state (e.g. request, session, context attributes) are not 
accessible to the user.  So even if something isn't sensitive today, doesn't 
mean that is the case tomorrow.

Also, if you want to look for yourself at the info or have concerns, you 
could make a rule which makes that url location (to enable it) unavailable in 
apache e.g. with an alias.  My grouper installation has a very limited user 
base, so Im not concerned.  If you have an installation with untrusted users 
you might want to consider it.

Thanks,
Chris