[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: Re: Security Hole Exploit in tortoiseproc?

From: Peter Yamamoto <yamamotop_at_page44.com>
Date: 2006-07-01 21:33:25 CEST

I believe it does that because it is using the outlook mail client, which by default wants to check to see if the addressee is in your correspondents list to ensure/expand the proper address. I'm not sure if there is a way to change this behavior (and if you mistype (a known) addressee then you will simply have the mail bounce).

Peter

-----Original Message-----
From: Stefan Küng [mailto:tortoisesvn@gmail.com]
Sent: Saturday, July 01, 2006 10:34 AM
To: users@tortoisesvn.tigris.org
Subject: Re: Security Hole Exploit in tortoiseproc?

Alexandra Stehman wrote:
> Greetings,
>
> If this is normal behavior please let me know. I was committing two
> new files into the repository when a TortoiseProc window popped up
> informing me that something bad happened and it needed to close. It
> requested a description of the user activities prior to the crash,
> which I provided. I then proceeded to send the report. However, it
> did something quite odd. I got a weird little message from outlook
> saying "a program is trying to access email addresses you have stored
> in outlook. do you want to allow this?" I clicked NO twice. Then it
> said something about the message not being sent. NOW it is prompting
> me to save this file called TortoiseProc, format type ZIP, somewhere. I am not going to save this file, but find this entire series of events suspect.
>
> If this is normal behavior, please do let me know (I am not a list subscriber).

I don't know why outlook would say something like that. All the crashreport tool is trying to do is to open up a new mail window, with the target mail and your text about the crash filled in. It doesn't even
*send* the mail but relies on you to hit the "send" button.
And it definitely doesn't try to read your address book.
You can check the sourcecode of that tool yourself if you don't believe me:
http://tortoisesvn.tigris.org/svn/tortoisesvn/trunk/src/crashrpt/
Login: guest
and use an empty password.

Stefan

-- 
        ___
   oo  // \\      "De Chelonian Mobile"
  (_,\/ \_/ \     TortoiseSVN
    \ \_/_\_/>    The coolest Interface to (Sub)Version Control
    /_/   \_\     http://tortoisesvn.tigris.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tortoisesvn.tigris.org
For additional commands, e-mail: users-help@tortoisesvn.tigris.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tortoisesvn.tigris.org
For additional commands, e-mail: users-help@tortoisesvn.tigris.org
Received on Sat Jul 1 21:33:22 2006

This is an archived mail posted to the TortoiseSVN Users mailing list.