This Bugzilla instance is a read-only archive of historic NetBeans bug reports. To report a bug in NetBeans please follow the project's instructions for reporting issues.

Bug 178167

Summary: Insecure storage of VCS passwords
Product: versioncontrol Reporter: Jesse Glick <jglick>
Component: CodeAssignee: Ondrej Vrabec <ovrabec>
Status: RESOLVED FIXED    
Severity: normal    
Priority: P2    
Version: 6.x   
Hardware: All   
OS: All   
Issue Type: DEFECT Exception Reporter:
Bug Depends on: 173413    
Bug Blocks:    

Description Jesse Glick 2009-12-04 13:12:13 UTC 
It seems that subversion & mercurial modules (maybe others too?) persist user passwords insecurely using NbPreferences. For example, HgModuleConfig stores RepositoryConnection.getString, which can include an unencrypted password. Generally, any use of "Scrambler.scramble" should be considered a probable security bug.

Should instead use a keyring (see proposed API); for compatibility, interpret old settings but store the password you read in the keyring and delete it from disk.

The subversion module also seems to keep authentication information in $userdir/config/svn/, which is a bad idea; you should use the standard ~/.subversion/ dir only. (For example, operating system distributions may keep ~/.subversion/auth/ on an encrypted volume.)
Comment 1 Jesse Glick 2009-12-04 13:16:40 UTC 
lib.cvsclient also seems to use Scrambler.
Comment 2 Ondrej Vrabec 2010-01-05 04:30:36 UTC 
fix in mercurial: http://hg.netbeans.org/cdev/rev/873b947667c1
Comment 3 Quality Engineering 2010-01-06 00:44:17 UTC 
Integrated into 'main-golden', will be available in build *201001060200* on http://bits.netbeans.org/dev/nightly/ (upload may still be in progress)
Changeset: http://hg.netbeans.org/main/rev/873b947667c1
User: Ondrej Vrabec <ovrabec@netbeans.org>
Log: Issue #178167 - Insecure storage of VCS passwords
Comment 4 Jesse Glick 2010-01-08 17:27:47 UTC 
Should be able to delete Scambler.scramble method.
Comment 5 Ondrej Vrabec 2010-01-11 05:41:13 UTC 
fix: http://hg.netbeans.org/cdev/rev/6f8ce8ecd1e1
Comment 6 Ondrej Vrabec 2010-01-11 05:54:02 UTC 
fix in subversion: http://hg.netbeans.org/cdev/rev/6f4aff59c8a9
Comment 7 Quality Engineering 2010-01-11 23:30:59 UTC 
Integrated into 'main-golden', will be available in build *201001120200* on http://bits.netbeans.org/dev/nightly/ (upload may still be in progress)
Changeset: http://hg.netbeans.org/main/rev/6f8ce8ecd1e1
User: Ondrej Vrabec <ovrabec@netbeans.org>
Log: Issue #178167 - Insecure storage of VCS passwords
unused scramble method
Comment 8 Ondrej Vrabec 2010-01-12 01:18:55 UTC 
fix in cvs: http://hg.netbeans.org/cdev/rev/0811e3fb5615
Comment 9 Quality Engineering 2010-01-13 12:28:46 UTC 
Integrated into 'main-golden', will be available in build *201001131418* on http://bits.netbeans.org/dev/nightly/ (upload may still be in progress)
Changeset: http://hg.netbeans.org/main/rev/0811e3fb5615
User: Ondrej Vrabec <ovrabec@netbeans.org>
Log: Issue #178167 - Insecure storage of VCS passwords
do not persist passwords in a file, using Keyring API instead
Comment 10 Ondrej Vrabec 2010-01-19 02:54:18 UTC 
fixed in all versioning systems.

> you should use the standard ~/.subversion/ dir only
We can't, we need to add some directives to config file ourselves and write it directly to the system config file is a bad idea, IMHO. We need to pass e.g. proxy configuration, tunnel info, etc.
If you still think it should be handled in other way, open another issue in the subversion module.