Defect #1368

SVN errors lead to svn username/password being displayed to end users (security issue)

Added by Russell Hind 85 days ago. Updated 83 days ago.

Status:Closed Start:2008-06-04
Priority:Normal Due date:
Assigned to:Jean-Philippe Lang % Done:

0%
Category:SCM
Target version:0.7.2
Affected version:

0.7.1

 Resolution:

Fixed

Description

This is a bit of a security risk, but if errors occur when redmine (such as detailed http://www.redmine.org/wiki/1/FAQ#13 where svn isn't in the PATH), then the HTML page displayed to the user contains a nice red box which displays the command it tried, which lists the username and password it tried to access the repository with. Surely the username/password should be hidden and never shown to an end user, even if an error occured.

Associated revisions

Revision 1493
Added by jplang 83 days ago

Fixed: SVN errors lead to svn username/password being displayed to end users (#1368).

History

2008-06-04 09:38 - Russell Hind

Appologies for the messed-up link, Redmine doesn't appear to like formatting http links containing hashes.

2008-06-04 12:48 - Thomas Lecavelier

  • Assigned to set to Jean-Philippe Lang
  • Target version set to 0.7.2

I set target version for 0.7.2 since it's a real security concern.

2008-06-06 16:34 - Jean-Philippe Lang

  • Status changed from New to Closed
  • Resolution set to Fixed

Fixed in r1493. Username and password are now replaced with xxxx.

Also available in: Atom PDF