User/password visible in process listing during indexing of SVN repository

[cosmoJFH]

During indexing the user and the password are printed to the console.

505       9205 11803 15 07:53 ?        00:00:00 /usr/bin/svn log --non-interactive --username XXXXX --password XXXX --trust-server-cer

This information is available to any user connected to the machine by the command pf -ef. Is there any way to avoid this?

[tulinkry]

I'm afraid there's not. Needs to be solved

[vladak]

Not sure this is actually a bug. That said, the indexer does this:

412      private List<String> getAuthCommandLineParams() {
413          List<String> result = new ArrayList<>();
414          String userName = System.getenv(ENV_SVN_USERNAME);
415          String password = System.getenv(ENV_SVN_PASSWORD);
416          if (userName != null && !userName.isEmpty() && password != null
417                  && !password.isEmpty()) {
418              result.add("--username");
419              result.add(userName);
420              result.add("--password");
421              result.add(password);
422          }

Not sure this is your case - i.e. if you are using the ENV_SVN_USERNAME / ENV_SVN_PASSWORD environment variables.

According to the documentation on http://svnbook.red-bean.com/en/1.7/svn.serverconfig.netmodel.html, Subversion should cache the user/password values so maybe there's a way around that.

[tulinkry]

There's maybe a way around this but we shouldn't print the passwords into the log files anyway.

[vladak]

The logger output from Executor would have to be redacted to achieve that.

[tulinkry]

I think that some regexp matching (as I guess this is only in svn) would solve the issue with some combination of LOGGER.isLoggable(Level ...) to avoid unnecessary string operations when the logger is not active.

[vladak]

The question is whether SVN allows to specify the user/pass by other means.