[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: A strong WTF on compiling out plaintext password support by default?!

From: Daniel Sahlberg <daniel.l.sahlberg_at_gmail.com>
Date: Fri, 14 Aug 2020 23:01:45 +0200

Den fre 7 aug. 2020 kl 11:34 skrev Daniel Shahaf <d.s_at_daniel.shahaf.name>:

> It successfully adds a password to the storage, in the sense that
> after running it, a subsequent `svn auth --show-passwords` shows the
> password. Still, a subsequent `svn info` doesn't use the password.
> Why? By source inspection, SVN_DISABLE_PLAINTEXT_PASSWORD_STORAGE
> affects svn_auth__simple_creds_cache_set() but not
> svn_auth__simple_creds_cache_get(),
> so why doesn't the latter use the password?
>

It seems you also need to set passtype = simple for
svn_auth__simple_creds_cache_get() to accept the password.

Updated script, I changed to use /usr/bin/env to find zsh and explicitly
set LANG to make sure svn auth return the expected text (normally I'm
running sv_SE.UTF-8).

[[[
#!/usr/bin/env -S zsh -f
# Prompt for a realm and a password, then cache that password for that
realm, in plaintext.
LANG=en_US.UTF-8
PS3="Enter the number of the selected option: "
creds=( "${(ps.\n\n.)"$(svn auth)"}" )
creds=( ${(M)creds:#-*} )
select m in $creds
do
        realm=${(M)${(f)m}:#Authentication realm: *}
        realm=${realm#*: }
        IFS= read -s -r pw"?Password: "
        md5=${"$(printf %s "$realm" | openssl md5)"##*= }
        print -rC1 \
                \$ i "K 8" passtype "V 6" simple "K 8" password "V ${#pw}"
"$pw" "." "w" "q" \
                | ed -s ~/.subversion/auth/svn.simple/$md5
        echo edited $_
        break
done
]]]

A proper svn store-password command would be nice to better support non-X11
automated environments in case of "stupid" compile time options. But that
moots the point of SVN_DISABLE_PLAINTEXT_PASSWORD_STORAGE and I understand
the need for it in certain (corporate) environments, I even think it could
prevent reading an already stored password. Better to convince
your favorite distribution to take the approach of OpenBSD (as detailed by
Stefan Sperling elsewhere in the thread).

Kind regards,
Daniel
Received on 2020-08-14 23:01:59 CEST

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.