[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Security flaw: subversion stores passwords by default

From: Blair Zajac <blair_at_orcaware.com>
Date: Wed, 19 Mar 2008 16:34:35 -0700

Hadmut Danisch wrote:
> Hi,
>
> I just installed a subversion repository together with webdav and an
> apache server, protected
> by password authentication over LDAP and HTTPS.
>
> Accessing this repository over HTTPS worked perfectly except for a
> severe security
> problem:
>
> Unless turned off in the users (or common) configuration file,
> subversion stores the password
> in plain textfiles. Since the web access password is the same as the
> common account password
> used for several services, unexperienced users compromise their own
> passwords without even
> realizing it.
>
> Although not a bug in the common sense, this is a severe security flaw
> by design.
>
> I would strongly recommend to modify this behavior and to never ever let
> subversion store
> any password by itself. If the password should be stored locally, then
> the user should do
> it himself or at least give an option to do so.
>
> And, btw., would be nice to support the https://user@server/... syntax
> or a way to take the
> user from environment or configuration.

See

http://subversion.tigris.org/faq.html#plaintext-passwords
http://svnbook.red-bean.com/nightly/en/svn.serverconfig.netmodel.html#svn.serverconfig.netmodel.credcache

Regards,
Blair

-- 
Blair Zajac, Ph.D.
<blair_at_orcaware.com>
http://www.orcaware.com/svn/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: users-help_at_subversion.tigris.org
Received on 2008-03-20 00:35:00 CET

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.