[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Subversion mangling passwords to apache over https

From: Cooke, Mark <mark.cooke_at_siemens.com>
Date: Wed, 18 Apr 2012 10:22:33 +0100

Folks,

This is a follow up to the thread `Need help troubleshooting user authentication (apache)`:
http://subversion.markmail.org/thread/q57ffzbhrdv6ydhp

...with the hope of catching a few more eyeballs.

Quick Summary: subversion (both TortoiseSVN and the command-line client provided by TSVN) is changing certain characters whilst using Basic Authentication (over https, from Windows XP) to apache 2.2 (on Windows Server 2003). So far I have confirmed this for the UK keyboard `£` (SHIFT-3):

> When using a browser, I get the following for <shift>-1
> through <shift>-0 on my UK keyboard (bounded by '[]'):
>
> 2012-04-17 16:03:09.734000 : svntest [!"£$%^&*()]
>
> ...but when I use the svn command line client I log instead:
>
> 2012-04-17 16:01:52.124000 : svntest [!"œ$%^&*()]
>
> Note that the `£` is now different. I think that this explains
> the `Password Mismatch` error?

Philip Martin has already responded (thanks!) with:

> Non-ascii passwords are a problem for HTTP because there is
> no standard for encoding the password before constructing the
> digest, nor is there a standard for the client to tell the
> server which encoding it used. Because there is no standard
> clients tend to do different things. Some clients will
> convert the password to UTF-8, some clients will convert to
> some other encoding, and some clients will leave it in whatever
> encoding the user entered.

...which helps to explain the problem (except we are using `basic` plain text, not digest) but I cannot believe that we are the only subversion users with this problem, what about other users with non-latin character sets (Russia, Israel etc)?

How can I help to narrow this down? Is it likely to be Windows specific (I don't have any *nix flavour available) or something to do with serf or neon (instead of svn proper)?

Should I file a bug report (I get no relevant hits when I search for 'password')?

Regards,

~ mark c

Subversion client (on corporate Windows XP Pro SP3 using UK regional settings):

D:\>svn --version
svn, version 1.7.4 (r1295709)
   compiled Mar 8 2012, 18:47:27

Copyright (C) 2012 The Apache Software Foundation.
This software consists of contributions made by many people; see the NOTICE
file for more information.
Subversion is open source software, see http://subversion.apache.org/

The following repository access (RA) modules are available:

* ra_neon : Module for accessing a repository via WebDAV protocol using Neon.
  - handles 'http' scheme
  - handles 'https' scheme
* ra_svn : Module for accessing a repository using the svn network protocol.
  - with Cyrus SASL authentication
  - handles 'svn' scheme
* ra_local : Module for accessing a repository on local disk.
  - handles 'file' scheme
* ra_serf : Module for accessing a repository via WebDAV protocol using serf.
  - handles 'http' scheme
  - handles 'https' scheme

Server is Windows Server 2003 Std (in VMWare) also using UK regional settings:
apache 2.2.22 (Win32) DAV/2 mod_ssl/2.2.22 OpenSSL/0.9.8t mod_wsgi/3.3 Python/2.6.6 SVN/1.7.4

I am using the svn binaries from alagazam but I don't think they are involved as the password is being rejected by LDAP lookup before DAV gets a look-in, from a site-wide <Location />...</Location> block (there are more config details in the referenced thread).
Received on 2012-04-18 11:23:12 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.