[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: A strong WTF on compiling out plaintext password support by default?!

From: Daniel Shahaf <d.s_at_daniel.shahaf.name>
Date: Fri, 7 Aug 2020 09:34:33 +0000

Dr. Thomas Orgis wrote on Fri, 07 Aug 2020 09:41 +0200:
> Am Fri, 7 Aug 2020 05:53:24 +0000
> schrieb Daniel Shahaf <d.s_at_daniel.shahaf.name>:
>
> > > > should work: the compile-time knob prevents passwords from being
> > > > _written_, but doesn't prevent passwords already there from being
> > > > read.
>
> Then it might be a nice idea to allow users to intentionally trigger
> that write when they know what they are doing. Well, that was of course
> what the old behaviour did, but a bit implicitly. Once could imagine a
> new command to make it explicit. Something like
>
> svn store-password $user $repo

I'm attaching a prototype standalone script implementing this
functionality.

It successfully adds a password to the storage, in the sense that
after running it, a subsequent `svn auth --show-passwords` shows the
password. Still, a subsequent `svn info` doesn't use the password.
Why? By source inspection, SVN_DISABLE_PLAINTEXT_PASSWORD_STORAGE
affects svn_auth__simple_creds_cache_set() but not svn_auth__simple_creds_cache_get(),
so why doesn't the latter use the password?

Cheers,

Daniel

[[[
#!/usr/local/bin/zsh -f
# Prompt for a realm and a password, then cache that password for that realm, in plaintext.
PS3="Enter the number of the selected option: "
creds=( "${(ps.\n\n.)"$(svn auth)"}" )
creds=( ${(M)creds:#-*} )
select m in $creds
do
        realm=${(M)${(f)m}:#Authentication realm: *}
        realm=${realm#*: }
        IFS= read -s -r pw"?Password: "
        md5=${"$(printf %s "$realm" | openssl md5)"##*= }
        print -rC1 \
                \$ i "K 8" password "V ${#pw}" "$pw" "." "w" "q" \
                | ed -s ~/.subversion/auth/svn.simple/$md5
        echo edited $_
        break
done
]]]
Received on 2020-08-07 11:34:51 CEST

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.