Web Server Bug
Ricky Zhou
ricky at fedoraproject.org
Fri Jun 15 02:59:55 UTC 2007
David Douthitt wrote:
> I submitted my GPG key, got an account, signed the CLA, etc. Then I
> went to change my user details (for group membership) and put
> "Infrastructure" into the box on the bottom (above the dropbox that
> defaults to "user") and the python code blew up.
As far as I can tell, this is the response when the group doesn't exist
(looks like it's case sensitive- you probably wanted "infrastructure").
> One other thing - isn't the error itself a security error? I mean, it
> gives me Python code, line numbers, procedure names, Python version and
> location, and more.
I don't think just showing code/non-sensitive debugging information is a
huge security problem. Consider that the code for the accounts system
is publicly viewable in CVS anyway (hooray for openness):
http://cvs.fedoraproject.org/viewcvs/fedora-accounts/?root=fedora.
As a side note, I think the accounts system is being rewritten so
hopefully, such errors will be treated more gracefully in the future.
Ricky
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/fedora-infrastructure-list/attachments/20070614/766db909/attachment.sig>
More information about the Fedora-infrastructure-list
mailing list