Uploaded image for project: 'Subversion'
  1. Subversion
  2. SVN-3061

username + password + non-interactive caches creds wrong

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Open
    • Priority: Blocker
    • Resolution: Unresolved
    • Affects Version/s: 1.4.x
    • Fix Version/s: unscheduled
    • Component/s: cmdline client
    • Labels:
      None
    • Environment:

      Mac OS X

      Description

      Using a svn command-line client built to store passwords in the OS X keychain, the following 
      command:
      
      svn log --username jrepenning --password XXX --non-interactive -rHEAD 
      https://cee.extranet.collab.net/svn/cee
      
      ... causes the password to be cached in svn.simple/*
      
      This is a security issue, of potentially grave impact (since the keychain configuration allows insecure 
      storage of ~/.subversion/)
      
      I have not checked whether analogous mishandlings occur on Windows, with its somewhat different 
      secure storage extension.
      
      This may be related to the Leopard bug that afflicts --non-interactive (issue 3059)
      

      Original issue reported by jackrepenning

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              subversion-importer Subversion Importer
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: