environment in reports can contain sensitive information
Bug #56846 reported by
Brian J. Murrell
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apport (Ubuntu) |
Fix Released
|
High
|
Martin Pitt |
Bug Description
When apport wants to send a bug report, it fetches the environment that is was running in. This can contain sensitive information such as:
http_proxy=http://
There might be other examples.
To post a comment you must log in.
This is a bit tricky to solve. The bug reporting window explains that you should only attach the report if the program does not deal with sensitive data, but of course this does not make it clear that this covers the environment as well (and it is too hard to explain, too).
Maybe I should leave out the environment completely or just filter out some interesting stuff like $SHELL, $PATH, $LANGUAGE, and $LANG. These are the only interesting and insensitive variables that come to my mind right now.