162661 – Push failed when HTTP authentication ON and no username relative property provided

This Bugzilla instance is a read-only archive of historic NetBeans bug reports. To report a bug in NetBeans please follow the project's instructions for reporting issues.

Bug 162661 - Push failed when HTTP authentication ON and no username relative property provided

Summary: Push failed when HTTP authentication ON and no username relative property pro...

Status:	RESOLVED FIXED

Alias:	None

Product:	versioncontrol
Classification:	Unclassified
Component:	Mercurial (show other bugs)
Version:	6.x
Hardware:	All All

Importance:	P3 blocker (vote)
Assignee:	Marian Petras

URL:
Keywords:

Depends on:
Blocks:

Reported:	2009-04-15 03:42 UTC by johnsonlau
Modified:	2009-04-28 18:56 UTC (History)
CC List:	0 users

See Also:
Issue Type:	DEFECT
Exception Reporter:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description johnsonlau 2009-04-15 03:42:59 UTC

When HTTP authentication is used to protect Mercurial repositories,
NetBeans would failed on push if username/password is not specified in any kind of forms.
(for example, in hgrc)

I think there are two problems to improve or fix at least.

1) It is better to notify the user to provide a necessary username/password and commit again
 other than being just failed.

2) It is NOT SAFE to store the password in the form of
http://USERNAME:PASSWORD@server/repo/...
because it will be displayed directly in some ways
(for example, the Push Other dialog.)
which might result a password leak.
It is unlikely to separate colleagues too far away from each other in a company
and being harmful under the reason we're using HTTP authentication.
I'm forced to push the changes in command-line mode
when I pay more attention NOT to result any leak.

I found this issue might be relative, but it seems to be a different one.
http://www.netbeans.org/issues/show_bug.cgi?id=155893

Comment 1 Ondrej Vrabec 2009-04-24 12:21:34 UTC

1) should be fixed in cdev #505c3ce4312e

2) partially fixed in cdev #a663d370a7d7
- hides the password in output, logs, etc.
- but we are still working on hiding the password in some dialogs (Clone other..., Push to other ...)

Comment 2 Marian Petras 2009-04-27 10:35:23 UTC

Fixed.

The dialogs now have separate fields for username and password. When an existing URL is selected from a combo-box, the
username and password are extracted from it and displayed in these dedicated text-fields. The field password displays
stars instead of actual character (it is an instance of JPasswordField).

Changeset Id:
ec59dd460b0c

Comment 3 Quality Engineering 2009-04-28 18:56:44 UTC

Integrated into 'main-golden', will be available in build *200904281401* on http://bits.netbeans.org/dev/nightly/ (upload may still be in progress)
Changeset: http://hg.netbeans.org/main-golden/rev/ec59dd460b0c
User: Marian Petras <mpetras@netbeans.org>
Log: fixed the remainder of bug #162661 - the user's password for access to a Mercurial repository should not be discoverable anywhere in the UI