[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Call for assistance (Was: [Issue 3061] username + password + non-interactive caches creds wrong)

From: Jack Repenning <jackrepenning_at_tigris.org>
Date: Mon, 9 Jun 2008 10:32:33 -0700

In issue 3061, I reported a security issue in SVN 1.4, an unexpected
leakage of password, despite configuration settings, arising from a
MacOS/Leopard-specific platform bug, and a use pattern common in GUI
wrappers of the command-line. There are several such wrappers that
display the problem, but the example I commonly site is svnX (which,
let me say, is a fine tool, I'm not dissing it at all, but it
definitely gets horked by this platform bug, and it's an easy tool to
set up the demo).

It was suggested that a change now in trunk will mitigate the security
aspect of this problem (by failing the operation, rather than silently
leaking the password, I think is the claim -- which, I agree, would be
better).

Begin forwarded message:

> ------- Additional comments from danielsh_at_tigris.org Mon Jun 9
> 01:05:37 -0700 2008 -------
> That's expected, since 1.5.x doesn't (and won't) include the
> plaintext branch.
> Can you test trunk?
>
> The plaintext branch adds prompting whether to save the password in
> plaintext.
> In non-interactive mode, it defaults to saving it (for
> compatibility), but you
> can override the default by setting store-plaintext-passwords=no in
> the
> ~/.subversion/servers file.

I thought I tested this (with 1.5-rc9), but it turns out the change in
question isn't in 1.5.

So, now I need some help: I don't routinely build straight from source
(as opposed to the source + deps tarballs), and don't get to work like
an actual developer much any more. But there are definitely other Mac
users on this list. Could another Mac dev build trunk and confirm-or-
deny this claim that trunk is safer for this scenario?

Here's the necessary test case, in case it's not apparent in the issue:

1. OS X Tiger + SVN 1.4.x history, with some credentials stored in
keychain, none in ~/.subversion/auth/svn.simple
2. also nuke relevant creds from Apple Keychain
3. upgrade to Leopard (or, if you're already on Leopard, nuke any auth/
svn.simple/* containing passwords)
4. no 1.5-specific configuration changes (no use of new "store-
plaintext-passwords" setting)
5. build SVN trunk
6. install svnX, preferences point to your trunk SVN
7. Use svnX to browse some repository that requires credentials to
browse

Definition of "fail":
Password appears in ~/.subversion/auth/svn.simple/*

Definition of "pass":
No password stored. I could live with failure of the operation,
though it would be really cool if the op worked and the password was
properly stuffed into the keychain

-==-
Jack Repenning
jackrepenning_at_tigris.org
Project Owner
SCPlugin
http://scplugin.tigris.org
"Subversion for the rest of OS X"

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: dev-help_at_subversion.tigris.org
Received on 2008-06-09 19:32:45 CEST

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.