Hello,
Since I have never been using Subversion with anything other than
svn+ssh, it has never been any issue to me. But when I started using
https recently, I realized that my password was stored in cleartext in
~/.subversion/auth/svn.simple/whatever. Not so great.
Then, I have googled the archives but couldn't find any patch or plan to
solve it. So, I wrote a silly patch as below that makes a password
somewhat obscure using base64.
Maybe Subversion guys are so perfectionist that this kind of hack is
just not wanted at all. I agree that while this way actually doesn't
improve current security, it might give people wrong impression.
But I believe this silly hack is still better than nothing until proper
ways will be implemented by someone in the future.
Thanks,
-- Hiroshima
Index: subversion/libsvn_subr/simple_providers.c
===================================================================
--- subversion/libsvn_subr/simple_providers.c (revision 18843)
+++ subversion/libsvn_subr/simple_providers.c (working copy)
@@ -86,7 +86,10 @@
APR_HASH_KEY_STRING);
if (str && str->data)
{
- *password = str->data;
+ char *decoded_password;
+ decoded_password = apr_palloc(pool, apr_base64_decode_len(str->data));
+ apr_base64_decode(decoded_password, str->data);
+ *password = decoded_password;
return TRUE;
}
return FALSE;
@@ -102,8 +105,11 @@
svn_boolean_t non_interactive,
apr_pool_t *pool)
{
+ int len = strlen(password);
+ char *encoded_password = apr_palloc(pool, apr_base64_encode_len(len));
+ apr_base64_encode(encoded_password, password, len);
apr_hash_set(creds, SVN_AUTH__AUTHFILE_PASSWORD_KEY, APR_HASH_KEY_STRING,
- svn_string_create(password, pool));
+ svn_string_create(encoded_password, pool));
return TRUE;
}
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Sun Mar 12 21:28:16 2006