subversion-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Evgeny Kotkov (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (SVN-4611) Passwords with percent character are not correctly retrieved from gpg-agent
Date Tue, 29 Nov 2016 16:46:00 GMT

     [ https://issues.apache.org/jira/browse/SVN-4611?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Evgeny Kotkov updated SVN-4611:
-------------------------------
    Fix Version/s: 1.8.17

> Passwords with percent character are not correctly retrieved from gpg-agent
> ---------------------------------------------------------------------------
>
>                 Key: SVN-4611
>                 URL: https://issues.apache.org/jira/browse/SVN-4611
>             Project: Subversion
>          Issue Type: Bug
>          Components: libsvn_subr
>    Affects Versions: 1.8.5, 1.9.3
>         Environment: Unix-like (e.g. Linux, Solaris)
>            Reporter: Georg Sauthoff
>             Fix For: 1.8.17, 1.9.4
>
>
> Steps to reproduce:
> 1. setup SVN server with password authentication
> 2. set juser's password to e.g. '%123secret'
> 2. install gpg-agent
> 3. execute as juser (at least two times such that gpg-agent kicks in): svn ls $project
> 4. execute `svn ls $project` one more time
> Actual result:
> In step 3, user is asked for his password after gpg-agent pinentry is successfully finished.
> In step 4, the last `svn ls $project` still yields a svn password prompt
> Expected result:
> In step 3, no more password prompt after gpg-agent pinentry is successfully finished.
> In step 4, the last `svn ls $project` doesn't ask for password since it is able to retrieve
it from gpg-agent.
> How reproducible:
> always
> Workaround:
> replace % characters in your password, e.g. with '!' ones.
> Analysis:
> The 'svn' command issues a 'GET_PASSPHRASE --data' command, thus, special characters
inside the password might be escaped via the percent character. Especially, % itself is escaped
like this: %25. The code in gpg-agent.c doesn't seem to handle this, i.e. it doesn't try to
'parse' (i.e. unescape) % sequences.
> Perhaps it is even easier to drop the --data option, i.e. then all characters are hex
encoded.
> See also:
> https://svn.apache.org/repos/asf/subversion/tags/1.9.3/subversion/libsvn_subr/gpg_agent.c
> https://svn.apache.org/repos/asf/subversion/tags/1.8.5/subversion/libsvn_subr/gpg_agent.c



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message