subversion-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Furter ...@apache.org>
Subject Re: The --password and clumsy users issue
Date Fri, 04 Jul 2014 04:10:22 GMT
On 07/04/14 04:47, Gabriela Gibson wrote:

> This is a summary of Ben's reply:
>
> Ben Reser wrote on Thu, Jul 03, 2014 at 12:54:58 -0700:
>  > 1) Remove the option.
>  > 2) Redact the password in the argv after starting up and finding the
>  > bits to redact.

3) Allow the password to be supplied over stdin using the special value "-".

Nobody will see the password. The only leak is that a password has been 
supplied using stdin. An attacker will have to convince the calling 
application to run something different than svn which logs the password 
to a file.

This can ofcourse be combined with 2).

- Martin

Mime
View raw message