Re: --non-interactive and keyrings

From: Philip Martin <philip.martin_at_wandisco.com>
Date: Fri, 03 Feb 2012 17:43:53 +0000

Philip Martin <philip.martin_at_wandisco.com> writes:

> The KDE behaviour is a potential information leak. A random app can use
> the Subversion libraries to query a repo, if it can monitor whether
> such a query causes the KDE prompt to appear then it can determine
> whether or not the password for the repo is in the wallet. Since GNOME
> always prompts no such leak is possible.

Thinking about this a bit further, it's not really a leak at all. The
information that is leaking is whether or not 'kwallet' is stored in the
.subversion/auth directory for a given repository. But any application
that is capable of triggering the leak would also be capable of simply
reading the .subversion/auth files.

-- 
uberSVN: Apache Subversion Made Easy
http://www.uberSVN.com

Received on 2012-02-03 18:44:31 CET

This message: [ Message body ]
Next message: Johan Corveleyn: "Re: 1.7.3 next week-ish?"
Previous message: Bert Huijben: "RE: svn commit: r1239695 - in /subversion/branches/1.7.x: ./ STATUS build.conf contrib/server-side/mod_dontdothat/ tools/server-side/mod_dontdothat/"
In reply to: Philip Martin: "Re: --non-interactive and keyrings"
Next in thread: Daniel Shahaf: "Re: --non-interactive and keyrings"
Reply: Daniel Shahaf: "Re: --non-interactive and keyrings"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]