Bug 178167 - Insecure storage of VCS passwords
Insecure storage of VCS passwords
Status: RESOLVED FIXED
Product: versioncontrol
Classification: Unclassified
Component: Code
6.x
All All
: P2 (vote)
: 6.x
Assigned To: Ondrej Vrabec
issues@versioncontrol
:
Depends on: 173413
Blocks:
  Show dependency treegraph
 
Reported: 2009-12-04 13:12 UTC by Jesse Glick
Modified: 2010-01-19 02:54 UTC (History)
0 users

See Also:
Issue Type: DEFECT
:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jesse Glick 2009-12-04 13:12:13 UTC
It seems that subversion & mercurial modules (maybe others too?) persist user passwords insecurely using NbPreferences. For example, HgModuleConfig stores RepositoryConnection.getString, which can include an unencrypted password. Generally, any use of "Scrambler.scramble" should be considered a probable security bug.

Should instead use a keyring (see proposed API); for compatibility, interpret old settings but store the password you read in the keyring and delete it from disk.

The subversion module also seems to keep authentication information in $userdir/config/svn/, which is a bad idea; you should use the standard ~/.subversion/ dir only. (For example, operating system distributions may keep ~/.subversion/auth/ on an encrypted volume.)
Comment 1 Jesse Glick 2009-12-04 13:16:40 UTC
lib.cvsclient also seems to use Scrambler.
Comment 2 Ondrej Vrabec 2010-01-05 04:30:36 UTC
fix in mercurial: http://hg.netbeans.org/cdev/rev/873b947667c1
Comment 3 Quality Engineering 2010-01-06 00:44:17 UTC
Integrated into 'main-golden', will be available in build *201001060200* on http://bits.netbeans.org/dev/nightly/ (upload may still be in progress)
Changeset: http://hg.netbeans.org/main/rev/873b947667c1
User: Ondrej Vrabec <ovrabec@netbeans.org>
Log: Issue #178167 - Insecure storage of VCS passwords
Comment 4 Jesse Glick 2010-01-08 17:27:47 UTC
Should be able to delete Scambler.scramble method.
Comment 5 Ondrej Vrabec 2010-01-11 05:41:13 UTC
fix: http://hg.netbeans.org/cdev/rev/6f8ce8ecd1e1
Comment 6 Ondrej Vrabec 2010-01-11 05:54:02 UTC
fix in subversion: http://hg.netbeans.org/cdev/rev/6f4aff59c8a9
Comment 7 Quality Engineering 2010-01-11 23:30:59 UTC
Integrated into 'main-golden', will be available in build *201001120200* on http://bits.netbeans.org/dev/nightly/ (upload may still be in progress)
Changeset: http://hg.netbeans.org/main/rev/6f8ce8ecd1e1
User: Ondrej Vrabec <ovrabec@netbeans.org>
Log: Issue #178167 - Insecure storage of VCS passwords
unused scramble method
Comment 8 Ondrej Vrabec 2010-01-12 01:18:55 UTC
fix in cvs: http://hg.netbeans.org/cdev/rev/0811e3fb5615
Comment 9 Quality Engineering 2010-01-13 12:28:46 UTC
Integrated into 'main-golden', will be available in build *201001131418* on http://bits.netbeans.org/dev/nightly/ (upload may still be in progress)
Changeset: http://hg.netbeans.org/main/rev/0811e3fb5615
User: Ondrej Vrabec <ovrabec@netbeans.org>
Log: Issue #178167 - Insecure storage of VCS passwords
do not persist passwords in a file, using Keyring API instead
Comment 10 Ondrej Vrabec 2010-01-19 02:54:18 UTC
fixed in all versioning systems.

> you should use the standard ~/.subversion/ dir only
We can't, we need to add some directives to config file ourselves and write it directly to the system config file is a bad idea, IMHO. We need to pass e.g. proxy configuration, tunnel info, etc.
If you still think it should be handled in other way, open another issue in the subversion module.


By use of this website, you agree to the NetBeans Policies and Terms of Use. © 2012, Oracle Corporation and/or its affiliates. Sponsored by Oracle logo