Add flag to cache data returned from a vuln check

FiloSottile / Heartbleed

A checker (site and tool) for CVE-2014-0160

http://filippo.io/Heartbleed

MIT License

2.31k stars 465 forks source link

Add flag to cache data returned from a vuln check #83

Closed jrconlin closed 5 years ago

jrconlin commented 10 years ago

Data returned from a vuln may contain unknown or personal information. While this may be useful to individuals trying to fix libraries, it's not really appropriate to return that info to unknown parties. Adding a flag to disable this by default.

FiloSottile commented 10 years ago

I agree on the sentiment for this one, just to explain the reason for it behaving like it does: a lot of companies really needed the memory snippet to believe they were indeed vulnerable.

Implementation nitpick: I think the kill switch should turn off data reporting entirely, not only caching. Otherwise you would get different results on cached/uncached. (So set data = "" immediately after the Bleed call)

jrconlin commented 10 years ago

Yep, in our code we bit-bucket data as soon as we can, but then we're also not building a stand alone server like you are.

Perfectly fine if you want to reject the PR. Just figured I'd hand back a mod.

jrconlin commented 5 years ago

Dead on the vine. Cleaning up.,