[Monotone-devel] monotone / indefero: information disclosure

[Thomas Keller]

Hi all!

Indefero's monotone plugin might disclose private key information when
Indefero's debug output is switched on.

Since monotone's frontend needs its own private key to authenticate
against a running server, this key is created on-the-fly when a new
project is created, added to the monotone instance and saved in the
project configuration for later usage.

Now when _any_ kind of exception triggers Pluf's error handler, the
current IDF_Project instance is dumped together with the said private
key data that are read from IDF's database.

Therefor please consider to disable Pluf's debug output when you run an
IDF instance with monotone support in production until I found a better
way to handle the frontend authentication issue. You can do this by setting

   $cfg['debug'] = false;

in your src/IDF/conf/idf.php.

Many thanks go to Frère Sébastien Marie <address@hidden> who
pointed me at this issue.

Thomas.

-- 
GPG-Key 0x160D1092 | address@hidden | http://thomaskeller.biz
Please note that according to the EU law on data retention, information
on every electronic information exchange might be retained for a period
of six months or longer: http://www.vorratsdatenspeicherung.de/?lang=en

signature.asc
Description: OpenPGP digital signature