Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [cross-project-issues-dev] [AERI] Using JVMTI to collect local variables in error reports

Thank you for your input Sam.

> On 04 Oct 2016, at 18:28, Sam Davis <sam.davis@xxxxxxxxxxx> wrote:
> 
> One thing that immediately comes to mind is that local variables may contain passwords.

True. That might happen.

> I think we would, at minimum, need a way for the user to see all of the values they are sharing before sharing them, and it would have to be clear to users when they enable this feature that they are putting their passwords at risk.

Yes, something along these lines should be stated somewhere. We may add additional checks for special variable names like user username, pass, password and warn the user if variables with these names are found.


> I wonder if it would be useful to replace the values of string variables with a non-reversible hash.

No, I guess that a fair share of all problems are caused by some “invalid” or “unexpected" strings. Hashing them will make this feature useless in (too) many cases (I guess).

Marcel




Back to the top