Defect #1368

SVN errors lead to svn username/password being displayed to end users (security issue)

Added by Anonymous over 9 years ago. Updated over 9 years ago.

Status:ClosedStart date:2008-06-04
Priority:NormalDue date:
Assignee:Jean-Philippe Lang% Done:

0%

Category:SCM
Target version:0.7.2
Resolution:Fixed Affected version:0.7.1

Description

This is a bit of a security risk, but if errors occur when redmine (such as detailed http://www.redmine.org/wiki/1/FAQ#13 where svn isn't in the PATH), then the HTML page displayed to the user contains a nice red box which displays the command it tried, which lists the username and password it tried to access the repository with. Surely the username/password should be hidden and never shown to an end user, even if an error occured.

Associated revisions

Revision 1493
Added by Jean-Philippe Lang over 9 years ago

Fixed: SVN errors lead to svn username/password being displayed to end users (#1368).

History

#1 Updated by Anonymous over 9 years ago

Appologies for the messed-up link, Redmine doesn't appear to like formatting http links containing hashes.

#2 Updated by Thomas Lecavelier over 9 years ago

  • Assignee set to Jean-Philippe Lang
  • Target version set to 0.7.2

I set target version for 0.7.2 since it's a real security concern.

#3 Updated by Jean-Philippe Lang over 9 years ago

  • Status changed from New to Closed
  • Resolution set to Fixed

Fixed in r1493. Username and password are now replaced with xxxx.

Also available in: Atom PDF