Project

General

Profile

Actions
Copy link

Defect #1368

closed

SVN errors lead to svn username/password being displayed to end users (security issue)

Added by Anonymous almost 16 years ago. Updated almost 16 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Jean-Philippe Lang
Category:
SCM
Target version:
0.7.2
Start date:
2008-06-04
Due date:
% Done:

0%

Estimated time:
Resolution:
Fixed
Affected version:
0.7.1

Description

This is a bit of a security risk, but if errors occur when redmine (such as detailed http://www.redmine.org/wiki/1/FAQ#13 where svn isn't in the PATH), then the HTML page displayed to the user contains a nice red box which displays the command it tried, which lists the username and password it tried to access the repository with. Surely the username/password should be hidden and never shown to an end user, even if an error occured.

Actions
Copy link
 #1

Updated by Anonymous almost 16 years ago

Appologies for the messed-up link, Redmine doesn't appear to like formatting http links containing hashes.

Actions
Copy link
 #2

Updated by Thomas Lecavelier almost 16 years ago

  • Assignee set to Jean-Philippe Lang
  • Target version set to 0.7.2

I set target version for 0.7.2 since it's a real security concern.

Actions
Copy link
 #3

Updated by Jean-Philippe Lang almost 16 years ago

  • Status changed from New to Closed
  • Resolution set to Fixed

Fixed in r1493. Username and password are now replaced with xxxx.

Actions
Copy link

Also available in: Atom PDF