[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

[PATCH] obscure password

From: HIROSHIMA Naoki <naokih_at_iron-horse.org>
Date: 2006-03-12 11:30:35 CET

Hello,

Since I have never been using Subversion with anything other than
svn+ssh, it has never been any issue to me. But when I started using
https recently, I realized that my password was stored in cleartext in
~/.subversion/auth/svn.simple/whatever. Not so great.

Then, I have googled the archives but couldn't find any patch or plan to
solve it. So, I wrote a silly patch as below that makes a password
somewhat obscure using base64.

Maybe Subversion guys are so perfectionist that this kind of hack is
just not wanted at all. I agree that while this way actually doesn't
improve current security, it might give people wrong impression.

But I believe this silly hack is still better than nothing until proper
ways will be implemented by someone in the future.

Thanks,
-- Hiroshima

Index: subversion/libsvn_subr/simple_providers.c
===================================================================
--- subversion/libsvn_subr/simple_providers.c (revision 18843)
+++ subversion/libsvn_subr/simple_providers.c (working copy)
@@ -86,7 +86,10 @@
                       APR_HASH_KEY_STRING);
    if (str && str->data)
      {
- *password = str->data;
+ char *decoded_password;
+ decoded_password = apr_palloc(pool,
apr_base64_decode_len(str->data));
+ apr_base64_decode(decoded_password, str->data);
+ *password = decoded_password;
        return TRUE;
      }
    return FALSE;
@@ -102,8 +105,11 @@
                      svn_boolean_t non_interactive,
                      apr_pool_t *pool)
  {
+ int len = strlen(password);
+ char *encoded_password = apr_palloc(pool, apr_base64_encode_len(len));
+ apr_base64_encode(encoded_password, password, len);
    apr_hash_set(creds, SVN_AUTH__AUTHFILE_PASSWORD_KEY,
APR_HASH_KEY_STRING,
- svn_string_create(password, pool));
+ svn_string_create(encoded_password, pool));
    return TRUE;
  }

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Mon Mar 13 02:59:25 2006

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.