[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Credentials held unencrypted in memory during runtime

From: Dale McCoy <dalestan_at_gmail.com>
Date: Mon, 11 Apr 2011 16:38:20 -0400

> While we test a scenario we found the TortoiseSVN client application
> holds the username and password strings in clear text within the
> memory during runtime, The sensitive information (e.g. password) is
> loaded into a variable during the authentication phase. The variable
> is not cleared after the initial use. It is possible to extract the
> TortoiseSVN strings stored in memory and obtain a valid password.
>
> Please let us know is security issue fixed in the upcoming release.

Why is this a security issue? Do you not trust the software running on
your development machines? If not, why are you letting this untrusted
software run on a machine with access to your source code?

It is not impossible that this is an issue with the subversion
libraries, not TortoiseSVN. Can this issue be observed in the
command-line client?

Dale McCoy

------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2718956

To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_tortoisesvn.tigris.org].
Received on 2011-04-11 22:38:45 CEST

This is an archived mail posted to the TortoiseSVN Users mailing list.