B. W. Fitzpatrick wrote:
><rbb@rkbloom.net> writes:
>
>
>>I just discovered that the svn client is caching passwords by default.
>>This seems like a huge security hole, especially since it isn't obvious
>>that it is being done until you try to actually do a commit. Personally,
>>I did my commit, then realized that I wasn't prompted for a password, so I
>>went scouring through my config files to ensure that I had configured
>>Apache correctly. Only then did I look at my log files and realize that I
>>had actually logged in correctly.
>>
>>I am sending a patch that switches the default behavior to
>>--no-auth-cache. This removes that command-line option, and adds a new
>>one --auth-cache, which as you would expect, turns the cache back on.
>>
>>
>
>Ryan and I were talking about this a bit on irc.
>
>I'd like to +1 this patch. If we don't switch the password caching
>behavior to off by default, we're going to wind up getting a BUGTRAQ
>nastygram, a truckload of bad press, and then have to turn it off by
>default anyway.
>
>Let's save ourselves the pain and suffering.
>
>
+1, as much as i hate having to type in my password every time i commit,
it makes more sense to require that people ask for the behaviour if they
want it than to be surprised by it.
-garrett
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Mon Jan 13 21:31:25 2003