Grouper Users - Open Discussion List

["GW Brown, Information Systems and Computing" <>]

I've committed changes to HEAD which means that debugging is off by 
default, but can be turned on through the ui build.properties or limited to 
members of a group.

Gary

--On 27 February 2009 16:27 -0500 Chris Hyzer 
<>
 wrote:

> > Is there any sensitive info that's revealed in debug mode? If not, then
> > perhaps debug mode itself will scare off those that happen to find it
> > but weren't seeking it.
>
>
> Are you suggesting we don't protect it?  Web security principals suggest
> you should give users the least amount of information they need,
> including debug or error traces.  But anyways, without going into details
> of whether or not which parts of it are sensitive in a public forum, and
> before everyone is running on a copy of grouper which is protected, I
> suggest we protect in 1.4.2.  I glanced at the data and don't see any
> glaring red flags.  Also, when programming webapps in java, it is an
> assumption of the developer that server-side state (e.g. request,
> session, context attributes) are not accessible to the user.  So even if
> something isn't sensitive today, doesn't mean that is the case tomorrow.
>
> Also, if you want to look for yourself at the info or have concerns, you
> could make a rule which makes that url location (to enable it)
> unavailable in apache e.g. with an alias.  My grouper installation has a
> very limited user base, so Im not concerned.  If you have an installation
> with untrusted users you might want to consider it.
>
> Thanks,
> Chris



----------------------
GW Brown, Information Systems and Computing