This Bugzilla instance is a read-only archive of historic NetBeans bug reports. To report a bug in NetBeans please follow the project's instructions for reporting issues.

Bug 178167 - Insecure storage of VCS passwords
Summary: Insecure storage of VCS passwords
Status: RESOLVED FIXED
Alias: None
Product: versioncontrol
Classification: Unclassified
Component: Code (show other bugs)
Version: 6.x
Hardware: All All
: P2 normal (vote)
Assignee: Ondrej Vrabec
URL:
Keywords:
Depends on: 173413
Blocks:
  Show dependency tree
 
Reported: 2009-12-04 13:12 UTC by Jesse Glick
Modified: 2010-01-19 02:54 UTC (History)
0 users

See Also:
Issue Type: DEFECT
Exception Reporter:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jesse Glick 2009-12-04 13:12:13 UTC 
It seems that subversion & mercurial modules (maybe others too?) persist user passwords insecurely using NbPreferences. For example, HgModuleConfig stores RepositoryConnection.getString, which can include an unencrypted password. Generally, any use of "Scrambler.scramble" should be considered a probable security bug.

Should instead use a keyring (see proposed API); for compatibility, interpret old settings but store the password you read in the keyring and delete it from disk.

The subversion module also seems to keep authentication information in $userdir/config/svn/, which is a bad idea; you should use the standard ~/.subversion/ dir only. (For example, operating system distributions may keep ~/.subversion/auth/ on an encrypted volume.)
Comment 1 Jesse Glick 2009-12-04 13:16:40 UTC 
lib.cvsclient also seems to use Scrambler.
Comment 2 Ondrej Vrabec 2010-01-05 04:30:36 UTC 
fix in mercurial: http://hg.netbeans.org/cdev/rev/873b947667c1
Comment 3 Quality Engineering 2010-01-06 00:44:17 UTC 
Integrated into 'main-golden', will be available in build *201001060200* on http://bits.netbeans.org/dev/nightly/ (upload may still be in progress)
Changeset: http://hg.netbeans.org/main/rev/873b947667c1
User: Ondrej Vrabec <ovrabec@netbeans.org>
Log: Issue #178167 - Insecure storage of VCS passwords
Comment 4 Jesse Glick 2010-01-08 17:27:47 UTC 
Should be able to delete Scambler.scramble method.
Comment 5 Ondrej Vrabec 2010-01-11 05:41:13 UTC 
fix: http://hg.netbeans.org/cdev/rev/6f8ce8ecd1e1
Comment 6 Ondrej Vrabec 2010-01-11 05:54:02 UTC 
fix in subversion: http://hg.netbeans.org/cdev/rev/6f4aff59c8a9
Comment 7 Quality Engineering 2010-01-11 23:30:59 UTC 
Integrated into 'main-golden', will be available in build *201001120200* on http://bits.netbeans.org/dev/nightly/ (upload may still be in progress)
Changeset: http://hg.netbeans.org/main/rev/6f8ce8ecd1e1
User: Ondrej Vrabec <ovrabec@netbeans.org>
Log: Issue #178167 - Insecure storage of VCS passwords
unused scramble method
Comment 8 Ondrej Vrabec 2010-01-12 01:18:55 UTC 
fix in cvs: http://hg.netbeans.org/cdev/rev/0811e3fb5615
Comment 9 Quality Engineering 2010-01-13 12:28:46 UTC 
Integrated into 'main-golden', will be available in build *201001131418* on http://bits.netbeans.org/dev/nightly/ (upload may still be in progress)
Changeset: http://hg.netbeans.org/main/rev/0811e3fb5615
User: Ondrej Vrabec <ovrabec@netbeans.org>
Log: Issue #178167 - Insecure storage of VCS passwords
do not persist passwords in a file, using Keyring API instead
Comment 10 Ondrej Vrabec 2010-01-19 02:54:18 UTC 
fixed in all versioning systems.

> you should use the standard ~/.subversion/ dir only
We can't, we need to add some directives to config file ourselves and write it directly to the system config file is a bad idea, IMHO. We need to pass e.g. proxy configuration, tunnel info, etc.
If you still think it should be handled in other way, open another issue in the subversion module.