[GHC] #15371: Eventlog framework outputs environment variables which may cause a security issue
GHC
ghc-devs at haskell.org
Fri Jul 13 00:04:09 UTC 2018
#15371: Eventlog framework outputs environment variables which may cause a security
issue
-------------------------------------+-------------------------------------
Reporter: maoe | Owner: (none)
Type: feature | Status: new
request |
Priority: normal | Milestone:
Component: Runtime | Version: 8.4.3
System |
Keywords: | Operating System: Unknown/Multiple
Architecture: | Type of failure: Other
Unknown/Multiple |
Test Case: | Blocked By:
Blocking: | Related Tickets:
Differential Rev(s): | Wiki Page:
-------------------------------------+-------------------------------------
The eventlog framework currently writes all environment variables to the
eventlog file. This may cause a security issue as some external tools
expect user to set credentials in environment variables. It's possible for
the user to publish an eventlog which contains credentials without knowing
it.
In general it's not a good idea to set credentials in environment
variables but I think GHC should stop writing environment variables to the
eventlog implicitly and this feature should be opt-in.
I'm not sure if this feature is widely used or if we can just drop it. If
it's used to some extend maybe we can provide a function that does this
job in a library.
--
Ticket URL: <http://ghc.haskell.org/trac/ghc/ticket/15371>
GHC <http://www.haskell.org/ghc/>
The Glasgow Haskell Compiler
More information about the ghc-tickets
mailing list