subversion-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Philip Martin <philip.mar...@wandisco.com>
Subject Re: --non-interactive and keyrings
Date Fri, 03 Feb 2012 17:43:53 GMT
Philip Martin <philip.martin@wandisco.com> writes:

> The KDE behaviour is a potential information leak.  A random app can use
> the Subversion libraries to query a repo, if it can monitor whether
> such a query causes the KDE prompt to appear then it can determine
> whether or not the password for the repo is in the wallet.  Since GNOME
> always prompts no such leak is possible.

Thinking about this a bit further, it's not really a leak at all.  The
information that is leaking is whether or not 'kwallet' is stored in the
.subversion/auth directory for a given repository.  But any application
that is capable of triggering the leak would also be capable of simply
reading the .subversion/auth files.

-- 
uberSVN: Apache Subversion Made Easy
http://www.uberSVN.com

Mime
View raw message