Handling of TortoiseSVN crash report compromises security
Remco Nijhuis
I came accross a crash report I submitted on TortoiseSVN using the automated
tool. I didn't know this report was submitted to the mailing list
org.tigris.tortoisesvn.crashreports. I found it on Google when it was
included on http://markmail.org/message/oooh2lhlt6tld46l. The report
includes a zipped .dmp dump file, containing bits and pieces of the source
code I was working on at the time.
You may imagine that these pieces of source code might include sensitive
information, e.g. config-files with usernames and passwords to database
servers used in the project. I regret this being publicly disclosed.
You might want to change procedures to prevent this. As a user, I'd like to
be warned about data disclosure when I am about to commit a crash report.
However satisfied I am about your work on TortoiseSVN in general, and
however much I am committed to help you improve the software using these
reports, I can't take the risk of spreading confidential information. So I
am sorry to say that I won't send crash reports until this is solved.
I'm not a member of this list, but please keep me informed about the
solution of this issue.
Kind regards,
Remco Nijhuis.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-un...@tortoisesvn.tigris.org
For additional commands, e-mail: users...@tortoisesvn.tigris.org
Stefan Küng
> Hello,
>
> I came accross a crash report I submitted on TortoiseSVN using the
> automated tool. I didn't know this report was submitted to the mailing
> list org.tigris.tortoisesvn.crashreports. I found it on Google when it
> was included on http://markmail.org/message/oooh2lhlt6tld46l. The report
> includes a zipped .dmp dump file, containing bits and pieces of the
> source code I was working on at the time.
>
> You may imagine that these pieces of source code might include sensitive
> information, e.g. config-files with usernames and passwords to database
> servers used in the project. I regret this being publicly disclosed.
>
> You might want to change procedures to prevent this. As a user, I'd like
> to be warned about data disclosure when I am about to commit a crash
> report. However satisfied I am about your work on TortoiseSVN in
> general, and however much I am committed to help you improve the
> software using these reports, I can't take the risk of spreading
> confidential information. So I am sorry to say that I won't send crash
> reports until this is solved.
>
> I'm not a member of this list, but please keep me informed about the
> solution of this issue.
I'm really sorry about that. I have no idea how they could index that
archive: that list is set to 'private' so that only project members have
access to it.
I contacted markmail and asked them to delete their index of this list.
Stefan
--
___
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
\ \_/_\_/> The coolest Interface to (Sub)Version Control
/_/ \_\ http://tortoisesvn.net
Stefan Küng
> Hello,
>
> I came accross a crash report I submitted on TortoiseSVN using the
> automated tool. I didn't know this report was submitted to the mailing
> list org.tigris.tortoisesvn.crashreports. I found it on Google when it
> was included on http://markmail.org/message/oooh2lhlt6tld46l. The report
> includes a zipped .dmp dump file, containing bits and pieces of the
> source code I was working on at the time.
>
> You may imagine that these pieces of source code might include sensitive
> information, e.g. config-files with usernames and passwords to database
> servers used in the project. I regret this being publicly disclosed.
>
> You might want to change procedures to prevent this. As a user, I'd like
> to be warned about data disclosure when I am about to commit a crash
> report. However satisfied I am about your work on TortoiseSVN in
> general, and however much I am committed to help you improve the
> software using these reports, I can't take the risk of spreading
> confidential information. So I am sorry to say that I won't send crash
> reports until this is solved.
I've received a message from the MarkMail guys: they've removed the
index of our crash reports list.