Skip to Content.
Sympa Menu

grouper-users - RE: [grouper-users] Grouper UI 1.4.1 and Mac Safari 4 beta

Subject: Grouper Users - Open Discussion List

List archive

RE: [grouper-users] Grouper UI 1.4.1 and Mac Safari 4 beta

Chronological Thread 
  • From: Chris Hyzer <>
  • To: Tom Barton <>, "GW Brown, Information Systems and Computing" <>
  • Cc: Scott Koranda <>, Grouper Users Mailing List <>
  • Subject: RE: [grouper-users] Grouper UI 1.4.1 and Mac Safari 4 beta
  • Date: Fri, 27 Feb 2009 16:27:44 -0500
  • Accept-language: en-US
  • Acceptlanguage: en-US

> Is there any sensitive info that's revealed in debug mode? If not, then
> perhaps debug mode itself will scare off those that happen to find it
> but weren't seeking it.

Are you suggesting we don't protect it? Web security principals suggest you
should give users the least amount of information they need, including debug
or error traces. But anyways, without going into details of whether or not
which parts of it are sensitive in a public forum, and before everyone is
running on a copy of grouper which is protected, I suggest we protect in
1.4.2. I glanced at the data and don't see any glaring red flags. Also,
when programming webapps in java, it is an assumption of the developer that
server-side state (e.g. request, session, context attributes) are not
accessible to the user. So even if something isn't sensitive today, doesn't
mean that is the case tomorrow.

Also, if you want to look for yourself at the info or have concerns, you
could make a rule which makes that url location (to enable it) unavailable in
apache e.g. with an alias. My grouper installation has a very limited user
base, so Im not concerned. If you have an installation with untrusted users
you might want to consider it.


Archive powered by MHonArc 2.6.16.

Top of Page