[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: HTTP authentication vs. --username and --password

From: Martijn Boekhorst <subversion_at_boekhorst.net>
Date: 2002-07-22 10:17:18 CEST

Thought I'd contribute two security related thoughts on the topic of 401
authentication - which hopefully make it less-enticing to pursue this
path.
First off - 401 on browsers has the usual problem that, once logged on
through 401, there's no other way to kill the authentication than to close
down all browser sessions (this may or may not be terribly relevant to
svn).
Second, and I think more importantly, it's easy to write code that will
invade another process, scan it's memory for the 401 piece of the header,
and come up with the user-id and password, fully exposed, ready for re-use
(infact, I've got some code that does this for netscape and IE though I'm
unsure if my employer wants me to share this intellectual property-wise).
anyway, hopefully these thoughts make the 401 approach less exciting and
svn more secure.
Cheers, Martijn Boekhorst.

ps. gui client is obviously still alive except that firewalls and daytime
job are getting in the way of writing code. Hope to share something "real
soon now".
>> From: Justin Erenkrantz [mailto:jerenkrantz@apache.org]
>> Sent: 22 July 2002 04:45
>
>> On Sun, Jul 21, 2002 at 09:02:52PM -0500, Ben Collins-Sussman wrote:
>> > Peter Davis <peter@pdavis.cx> writes:
>> >
>> > > $ svn co http://username:password@server/repos/
>> >
>> > Isn't this an IE or Netscape-only syntax? I can't remember.
>>
>> Passing the password in the URL isn't recommended, but it is part of
>> the URI spec (RFC 2396). So, it probably should be supported.
>>
>> My $.02. -- justin
>
> +1 on supporting it at some point. We have all these nice apr-util uri
> functions, let's put them to use.
>
> Sander
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: dev-help@subversion.tigris.org

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Mon Jul 22 10:17:55 2002

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.