Vote #63348: SVN errors lead to svn username/password being displayed to end users (security issue) - redmineorg-copy202205 - Redmine

編集操作

リンクをコピー

Vote #63348

完了

SVN errors lead to svn username/password being displayed to end users (security issue)

Admin Redmine さんがほぼ2年前に追加. ほぼ2年前に更新.

ステータス:

Closed

優先度:

通常

担当者:

カテゴリ:

SCM_3

対象バージョン:

0.7.2_4

開始日:

2008/06/04

期日:

進捗率:

予定工数:

Redmineorg_URL:

https://www.redmine.org/issues/1368

category_id:

version_id:

issue_org_id:

1368

author_id:

assigned_to_id:

comments:

status_id:

tracker_id:

plus1:

affected_version:

closed_on:

affected_version_id:

ステータス-->[Closed]

引用

説明

This is a bit of a security risk, but if errors occur when redmine (such as detailed http://www.redmine.org/wiki/1/FAQ#13 where svn isn't in the PATH), then the HTML page displayed to the user contains a nice red box which displays the command it tried, which lists the username and password it tried to access the repository with. Surely the username/password should be hidden and never shown to an end user, even if an error occured.

journals

Appologies for the messed-up link, Redmine doesn't appear to like formatting http links containing hashes.
--------------------------------------------------------------------------------
I set target version for 0.7.2 since it's a real security concern.
--------------------------------------------------------------------------------
Fixed in r1493. Username and password are now replaced with xxxx.
--------------------------------------------------------------------------------