This Bugzilla instance is a read-only archive of historic NetBeans bug reports. To report a bug in NetBeans please follow the project's instructions for reporting issues.
It seems that subversion & mercurial modules (maybe others too?) persist user passwords insecurely using NbPreferences. For example, HgModuleConfig stores RepositoryConnection.getString, which can include an unencrypted password. Generally, any use of "Scrambler.scramble" should be considered a probable security bug. Should instead use a keyring (see proposed API); for compatibility, interpret old settings but store the password you read in the keyring and delete it from disk. The subversion module also seems to keep authentication information in $userdir/config/svn/, which is a bad idea; you should use the standard ~/.subversion/ dir only. (For example, operating system distributions may keep ~/.subversion/auth/ on an encrypted volume.)
lib.cvsclient also seems to use Scrambler.
fix in mercurial: http://hg.netbeans.org/cdev/rev/873b947667c1
Integrated into 'main-golden', will be available in build *201001060200* on http://bits.netbeans.org/dev/nightly/ (upload may still be in progress) Changeset: http://hg.netbeans.org/main/rev/873b947667c1 User: Ondrej Vrabec <ovrabec@netbeans.org> Log: Issue #178167 - Insecure storage of VCS passwords
Should be able to delete Scambler.scramble method.
fix: http://hg.netbeans.org/cdev/rev/6f8ce8ecd1e1
fix in subversion: http://hg.netbeans.org/cdev/rev/6f4aff59c8a9
Integrated into 'main-golden', will be available in build *201001120200* on http://bits.netbeans.org/dev/nightly/ (upload may still be in progress) Changeset: http://hg.netbeans.org/main/rev/6f8ce8ecd1e1 User: Ondrej Vrabec <ovrabec@netbeans.org> Log: Issue #178167 - Insecure storage of VCS passwords unused scramble method
fix in cvs: http://hg.netbeans.org/cdev/rev/0811e3fb5615
Integrated into 'main-golden', will be available in build *201001131418* on http://bits.netbeans.org/dev/nightly/ (upload may still be in progress) Changeset: http://hg.netbeans.org/main/rev/0811e3fb5615 User: Ondrej Vrabec <ovrabec@netbeans.org> Log: Issue #178167 - Insecure storage of VCS passwords do not persist passwords in a file, using Keyring API instead
fixed in all versioning systems. > you should use the standard ~/.subversion/ dir only We can't, we need to add some directives to config file ourselves and write it directly to the system config file is a bad idea, IMHO. We need to pass e.g. proxy configuration, tunnel info, etc. If you still think it should be handled in other way, open another issue in the subversion module.