[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: HTTP authentication vs. --username and --password

From: Sander Striker <striker_at_apache.org>
Date: 2002-07-22 11:49:26 CEST

> From: Martijn Boekhorst [mailto:subversion@boekhorst.net]
> Sent: 22 July 2002 10:17

> Thought I'd contribute two security related thoughts on the topic of 401
> authentication - which hopefully make it less-enticing to pursue this
> path.
> First off - 401 on browsers has the usual problem that, once logged on
> through 401, there's no other way to kill the authentication than to close
> down all browser sessions (this may or may not be terribly relevant to
> svn).
> Second, and I think more importantly, it's easy to write code that will
> invade another process, scan it's memory for the 401 piece of the header,
> and come up with the user-id and password, fully exposed, ready for re-use
> (infact, I've got some code that does this for netscape and IE though I'm
> unsure if my employer wants me to share this intellectual property-wise).
> anyway, hopefully these thoughts make the 401 approach less exciting and
> svn more secure.
>

Valid stuff, but it depends on how you handle the urls. If you parse them
at the client end and handle the user:password part as if it was passed in
using --username and --password, stripping the user:password segment out
of the url when contacting the server, it is as secure as it is now.

> Cheers, Martijn Boekhorst.

Sander

> >> From: Justin Erenkrantz [mailto:jerenkrantz@apache.org]
> >> Sent: 22 July 2002 04:45
> >
> >> On Sun, Jul 21, 2002 at 09:02:52PM -0500, Ben Collins-Sussman wrote:
> >> > Peter Davis <peter@pdavis.cx> writes:
> >> >
> >> > > $ svn co http://username:password@server/repos/
> >> >
> >> > Isn't this an IE or Netscape-only syntax? I can't remember.
> >>
> >> Passing the password in the URL isn't recommended, but it is part of
> >> the URI spec (RFC 2396). So, it probably should be supported.
> >>
> >> My $.02. -- justin
> >
> > +1 on supporting it at some point. We have all these nice apr-util uri
> > functions, let's put them to use.
> >
> > Sander

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Mon Jul 22 11:40:30 2002

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.