Re: Credentials held unencrypted in memory during runtime

From: Stefan Küng <tortoisesvn_at_gmail.com>
Date: Tue, 12 Apr 2011 16:54:59 +0200

On Tue, Apr 12, 2011 at 16:50, Ron Wilson <ronw.mrmx_at_gmail.com> wrote:
> On Mon, Apr 11, 2011 at 1:26 PM, Stefan Küng <tortoisesvn_at_gmail.com> wrote:
>> And if you can execute code, you can just read out *all* passwords from
>> the encrypted auth file Subversion creates. All you need is the SVN
>> source code to find out how SVN itself decrypts that file and do the same.
>> And with that, you have *all* passwords for *all* your repositories, not
>> just the one currently used in the still running process.
>
> If this is truly the case, then SVN is not implemted correctly.
> However, that would be for a different mail list.

So, how should it be implemented?

Stefan

-- 
       ___
  oo  // \\      "De Chelonian Mobile"
 (_,\/ \_/ \     TortoiseSVN
   \ \_/_\_/>    The coolest Interface to (Sub)Version Control
   /_/   \_\     http://tortoisesvn.net
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2719118
To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_tortoisesvn.tigris.org].

Received on 2011-04-12 16:55:26 CEST

This message: [ Message body ]
Next message: Ron Wilson: "Re: Credentials held unencrypted in memory during runtime"
Previous message: Stefan Küng: "Re: Credentials held unencrypted in memory during runtime"
In reply to: Ron Wilson: "Re: Credentials held unencrypted in memory during runtime"
Next in thread: Ron Wilson: "Re: Credentials held unencrypted in memory during runtime"
Reply: Ron Wilson: "Re: Credentials held unencrypted in memory during runtime"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]