PySvn icon indicating copy to clipboard operation
PySvn copied to clipboard
verified publisher icon dsoprea

passwords being logged and shown in the clear

Open krcb197 opened this issue 2 years ago • 4 comments

It is possible to run the module by passing in a user name and password, for example:

svn_report = svn.remote.RemoteClient(svn_item, username=user_name, password=mypassword_as_a_string )
svn_report.export(target_dir)

Even if you have followed all the good practices for handling passwords within your code, the svn package has two issues:

  • in the CommonBase the full svn command is sent to the debug log
  • In the event of failure full command is sent to the exception, which then shows in many places

The password should be obscured before the errors or logs are made

krcb197 avatar Apr 26 '23 08:04 krcb197

This ticket is a partial duplicate of #125

krcb197 avatar Apr 28 '23 07:04 krcb197

I have submitted a Pull Request with a fix in it. Hopefully it will be accepted.

krcb197 avatar Apr 28 '23 09:04 krcb197

Any plans for accepting the PR? I must admit I don't feel safe using the package with this problem on it.

rjfs avatar Jun 28 '23 17:06 rjfs

This issue only affects the case where the credentials are being passed through Python. In many case there are other ways to avoid the issue:

  • including letting the SVN executable cache the credentials
  • passing them through an environment variable.

That said I am not sure who we need to lobby/persuade to get the updates through.

krcb197 avatar Jun 28 '23 18:06 krcb197