svn-scm icon indicating copy to clipboard operation
svn-scm copied to clipboard
verified publisher icon JohnstonCode

Plaintext Password

Open mpearon opened this issue 4 years ago • 2 comments

  • VSCode Version: 1.56.0-insider
  • OS Version: Windows 10
  • Extension Version: v1909 build 18363.1500
  • System Language: English
  • SVN Version: 1.12.2 (r1863366)

Issue

Username and password committed to Windows Event Log (Windows Logs \ Security) in plaintext %SystemRoot%\System32\Winevt\Logs\Security.evtx

Steps to Reproduce

  1. Commit any change to any file

SVN Output

N/A

Event Log Output

"C:\Program Files\TortoiseSVN\bin\svn.exe" stat --xml --no-ignore --ignore-externals --username REDACTED --password REDACTED --config-option config:auth:password-stores= --config-option servers:global:store-auth-creds=no --non-interactive

Screenshots

image

mpearon avatar May 07 '21 21:05 mpearon

Is there a way to do the same command without the username and password without using svn ssh?

JohnstonCode avatar May 16 '21 09:05 JohnstonCode

This happens on Linux as well, "svn stat" with username and password visible in "ps" output. This was even without doing a commit. I think the password should never be part of the command line, at least not without a big fat red warning.

pgit avatar Jun 02 '21 15:06 pgit

@JohnstonCode - This behavior does not appear to be present in the current version. Can you confirm that this was addressed?

mpearon avatar Jan 04 '24 21:01 mpearon