[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: [PATCH] default to --no-auth-cache

From: Daniel Rall <dlr_at_collab.net>
Date: 2003-01-13 23:12:26 CET

On Mon, 13 Jan 2003, B. W. Fitzpatrick wrote:

> <rbb@rkbloom.net> writes:
> >
> > I just discovered that the svn client is caching passwords by default.
> > This seems like a huge security hole, especially since it isn't obvious
> > that it is being done until you try to actually do a commit. Personally,
> > I did my commit, then realized that I wasn't prompted for a password, so I
> > went scouring through my config files to ensure that I had configured
> > Apache correctly. Only then did I look at my log files and realize that I
> > had actually logged in correctly.
> >
> > I am sending a patch that switches the default behavior to
> > --no-auth-cache. This removes that command-line option, and adds a new
> > one --auth-cache, which as you would expect, turns the cache back on.
>
> Ryan and I were talking about this a bit on irc.
>
> I'd like to +1 this patch. If we don't switch the password caching
> behavior to off by default, we're going to wind up getting a BUGTRAQ
> nastygram, a truckload of bad press, and then have to turn it off by
> default anyway.
>
> Let's save ourselves the pain and suffering.

As much as I like the ease of use that caching as the default behavior
provides, I totally agree with Fitz's summary.

- Dan

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Mon Jan 13 23:05:22 2003

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.