| Title | MPS_TELEMETRY_CONTROL may introduce security risks |
| Status | closed |
| Priority | essential |
| Assigned user | Richard Brooksby |
| Organization | Ravenbrook |
| Description | Setting the MPS_TELEMETRY_CONTROL environment variable causes the MPS to write telemetry to disk in the current working directory of an application build with the MPS. This is a very useful debugging and tuning feature, but it might introduce risks in production. |
| Analysis | The behaviour is implemented in the plinth, so any client can disable it by modifying mpsliban.c. Document this, as a first step.
Then discuss with our clients. |
| How found | inspection |
| Evidence | The getenv call in mpsliban.c. |
| Created by | Richard Brooksby |
| Created on | 2016-03-21 13:45:49 |
| Last modified by | Gareth Rees |
| Last modified on | 2016-09-04 15:28:25 |
| History | 2016-03-21 RB Created. |