You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@subversion.apache.org by David Glasser <gl...@davidglasser.net> on 2008/06/13 22:58:57 UTC
multiple password prompts
Submitted for your perusal:
glasser@smiler:~/Projects/Google$ svn co
https://REDACTED.googlecode.com/svn/ REDACTED
Authentication realm: <https://REDACTED.googlecode.com:443> Google
Code Subversion Repository
Password for 'glasser':
Authentication realm: <https://REDACTED.googlecode.com:443> Google
Code Subversion Repository
Username: dglasser
Password for 'dglasser':
-----------------------------------------------------------------------
ATTENTION! Your password for authentication realm:
<https://REDACTED.googlecode.com:443> Google Code Subversion Repository
can only be stored to disk unencrypted! You are advised to configure
your system so that Subversion can store passwords encrypted, if
possible. See the documentation for details.
You can avoid future appearances of this warning by setting the value
of the 'store-plaintext-passwords' option to either 'yes' or 'no' in
'/home/glasser/.subversion/servers'.
-----------------------------------------------------------------------
Store password unencrypted (yes/no)? yes
-----------------------------------------------------------------------
ATTENTION! Your password for authentication realm:
<https://REDACTED.googlecode.com:443> Google Code Subversion Repository
can only be stored to disk unencrypted! You are advised to configure
your system so that Subversion can store passwords encrypted, if
possible. See the documentation for details.
You can avoid future appearances of this warning by setting the value
of the 'store-plaintext-passwords' option to either 'yes' or 'no' in
'/home/glasser/.subversion/servers'.
-----------------------------------------------------------------------
Store password unencrypted (yes/no)? yes
A REDACTED/trunk
A REDACTED/wiki
...
Um. Why did it ask me the same question twice?
--dave
--
David Glasser | glasser@davidglasser.net | http://www.davidglasser.net/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: multiple password prompts
Posted by David Glasser <gl...@davidglasser.net>.
On Tue, Jun 17, 2008 at 5:16 AM, Stefan Sperling <st...@elego.de> wrote:
> On Mon, Jun 16, 2008 at 12:40:33PM -0700, David Glasser wrote:
>> On Sun, Jun 15, 2008 at 5:26 AM, Stefan Sperling <st...@elego.de> wrote:
>> > On Sat, Jun 14, 2008 at 01:49:51PM +0300, Daniel Shahaf wrote:
>> >> Stefan Sperling wrote on Sat, 14 Jun 2008 at 12:30 +0200:
>> >> > Do you have any idea what difference between the googlecode.com
>> >> > setup and my setup could cause the prompt appear twice for you?
>> >>
>> >> Did you try to reproduce against googlecode.com? Did you try both serf
>> >> and neon?
>> >
>> > Neither.
>> >
>> > I'd rather wait for David's reply before I continue poking in the dark.
>>
>> I was using Neon. I try not to learn details about how the WebDAV
>> protocols work, at googlecode or elsewhere, because I find them
>> revolting.
>
> I don't think anyone wants you to do things you find revolting :)
>
> Can you provide me with a repository and username/password
> that I can use to reproduce this? Say, some googlecode project
> or some other public repository with an account that has read-only
> access and must authenticate before reading? So I can do something
> like checkout or list and get two prompts?
I think the googlecode setup is that everyone can use
http://foo.googlecode.com/svn/ without authentication, and that only
project members can use https://foo.googlecode.com/svn/, so the
situation you're describing wouldn't be a good replication. Of course
you can just make a test project on googlecode or something, I'm sure
you have some code sitting around somewhere that you've been meaning
to open-source :)
--dave
--
David Glasser | glasser@davidglasser.net | http://www.davidglasser.net/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: multiple password prompts
Posted by Stefan Sperling <st...@elego.de>.
On Mon, Jun 16, 2008 at 12:40:33PM -0700, David Glasser wrote:
> On Sun, Jun 15, 2008 at 5:26 AM, Stefan Sperling <st...@elego.de> wrote:
> > On Sat, Jun 14, 2008 at 01:49:51PM +0300, Daniel Shahaf wrote:
> >> Stefan Sperling wrote on Sat, 14 Jun 2008 at 12:30 +0200:
> >> > Do you have any idea what difference between the googlecode.com
> >> > setup and my setup could cause the prompt appear twice for you?
> >>
> >> Did you try to reproduce against googlecode.com? Did you try both serf
> >> and neon?
> >
> > Neither.
> >
> > I'd rather wait for David's reply before I continue poking in the dark.
>
> I was using Neon. I try not to learn details about how the WebDAV
> protocols work, at googlecode or elsewhere, because I find them
> revolting.
I don't think anyone wants you to do things you find revolting :)
Can you provide me with a repository and username/password
that I can use to reproduce this? Say, some googlecode project
or some other public repository with an account that has read-only
access and must authenticate before reading? So I can do something
like checkout or list and get two prompts?
Thanks,
Stefan
Re: multiple password prompts
Posted by Stefan Sperling <st...@elego.de>.
On Wed, Jun 18, 2008 at 12:09:26PM +0530, Senthil Kumaran S wrote:
> Hi Stefan,
>
> Stefan Sperling wrote:
>> If you hard code *cached_answer to TRUE, you are overriding whatever
>> answer the user gave you. After all, the user may have said 'no',
>> in which case may_save_password is FALSE.
>>
>> The else condition at line number 297 you are referring to
>> is not triggered based on whether *cached_answer is TRUE
>> or FALSE. It's based on whether cached_answer is NULL or not.
>> It is NULL if we cannot find an answer in the cache. The value
>> of the answer (TRUE or FALSE) does not matter.
>
> I missed the '&' before may_save_password in the following code:
>
> <snip>
> SVN_ERR((*b->plaintext_prompt_func)(&may_save_password,
> realmstring,
> b->prompt_baton,
> pool));
>
> </snip>
>
> hence, I came to this conclusion. Sorry for the noise :)
No problem.
>> Do you agree or have I misunderstood you?
>
> Yes I perfectly agree with you. Unfortunately I am unable to reproduce
> this in my box today! Is googlecode.com the only way?
I don't know yet. I'll have to find some time to create an
account with googlecode and some code to open source :)
Stefan
Re: multiple password prompts
Posted by Senthil Kumaran S <se...@collab.net>.
Hi Stefan,
Stefan Sperling wrote:
> If you hard code *cached_answer to TRUE, you are overriding whatever
> answer the user gave you. After all, the user may have said 'no',
> in which case may_save_password is FALSE.
>
> The else condition at line number 297 you are referring to
> is not triggered based on whether *cached_answer is TRUE
> or FALSE. It's based on whether cached_answer is NULL or not.
> It is NULL if we cannot find an answer in the cache. The value
> of the answer (TRUE or FALSE) does not matter.
I missed the '&' before may_save_password in the following code:
<snip>
SVN_ERR((*b->plaintext_prompt_func)(&may_save_password,
realmstring,
b->prompt_baton,
pool));
</snip>
hence, I came to this conclusion. Sorry for the noise :)
> Maybe the check should be rewritten to make this more clear,
> like this:
>
> Index: subversion/libsvn_subr/simple_providers.c
> ===================================================================
> --- subversion/libsvn_subr/simple_providers.c (revision 31725)
> +++ subversion/libsvn_subr/simple_providers.c (working copy)
> @@ -286,7 +286,7 @@ svn_auth__simple_save_creds_helper(svn_boolean_t *
> cached_answer = apr_hash_get(b->plaintext_answers,
> realmstring,
> APR_HASH_KEY_STRING);
> - if (cached_answer)
> + if (cached_answer != NULL)
> may_save_password = *cached_answer;
> else
> {
>
>
> Do you agree or have I misunderstood you?
Yes I perfectly agree with you. Unfortunately I am unable to reproduce this in
my box today! Is googlecode.com the only way?
--
Senthil Kumaran S
http://www.stylesen.org/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: multiple password prompts
Posted by Stefan Sperling <st...@elego.de>.
On Tue, Jun 17, 2008 at 04:30:27PM +0530, Senthil Kumaran S wrote:
> Index: subversion/libsvn_subr/simple_providers.c
> ===================================================================
> --- subversion/libsvn_subr/simple_providers.c (revision 31760)
> +++ subversion/libsvn_subr/simple_providers.c (working copy)
> @@ -311,7 +311,7 @@
> * apr_palloc().
> */
> cached_answer = apr_palloc(pool, sizeof(svn_boolean_t));
> - *cached_answer = may_save_password;
> + *cached_answer = TRUE;
> apr_hash_set(b->plaintext_answers, realmstring,
> APR_HASH_KEY_STRING, cached_answer);
> }
Hey Senthil,
I don't think this patch is correct.
If you hard code *cached_answer to TRUE, you are overriding whatever
answer the user gave you. After all, the user may have said 'no',
in which case may_save_password is FALSE.
The else condition at line number 297 you are referring to
is not triggered based on whether *cached_answer is TRUE
or FALSE. It's based on whether cached_answer is NULL or not.
It is NULL if we cannot find an answer in the cache. The value
of the answer (TRUE or FALSE) does not matter.
Maybe the check should be rewritten to make this more clear,
like this:
Index: subversion/libsvn_subr/simple_providers.c
===================================================================
--- subversion/libsvn_subr/simple_providers.c (revision 31725)
+++ subversion/libsvn_subr/simple_providers.c (working copy)
@@ -286,7 +286,7 @@ svn_auth__simple_save_creds_helper(svn_boolean_t *
cached_answer = apr_hash_get(b->plaintext_answers,
realmstring,
APR_HASH_KEY_STRING);
- if (cached_answer)
+ if (cached_answer != NULL)
may_save_password = *cached_answer;
else
{
Do you agree or have I misunderstood you?
Stefan
Re: multiple password prompts
Posted by Senthil Kumaran S <se...@collab.net>.
Hi,
David Glasser wrote:
> On Sun, Jun 15, 2008 at 5:26 AM, Stefan Sperling <st...@elego.de> wrote:
>> On Sat, Jun 14, 2008 at 01:49:51PM +0300, Daniel Shahaf wrote:
>>> Stefan Sperling wrote on Sat, 14 Jun 2008 at 12:30 +0200:
>>>> Do you have any idea what difference between the googlecode.com
>>>> setup and my setup could cause the prompt appear twice for you?
>>> Did you try to reproduce against googlecode.com? Did you try both serf
>>> and neon?
>> Neither.
>>
>> I'd rather wait for David's reply before I continue poking in the dark.
>
> I was using Neon. I try not to learn details about how the WebDAV
> protocols work, at googlecode or elsewhere, because I find them
> revolting.
The attached patch fixes this. After looking into the
code(subversion/libsvn_subr/simple_providers.c), I could see we start with
may_save_password value as 'FALSE' in line number 257. If it is unchanged by
the if condition immediately following it and we are interactive the
may_save_password still remains 'FALSE'.
Look for the else condition at line number 297 which searches for any cached
items for this realm if not gets it via the plaintext_prompt_func. Once we get
the answer we mark the cached_answer boolean in this condition with
may_save_password which is still 'FALSE' for the conditions mentioned above,
which ultimately results in giving a false alarm that we didn have any cached
answers when we come into this code once again.
So in this else block it is perfectly safe to mark cached_answer to 'TRUE' in
order to avoid this multiple password prompts instead of relying on
may_save_password which will misbehave.
[[[
Fix multiple password prompts.
* subversion/libsvn_subr/simple_providers.c
(svn_auth__simple_save_creds_helper): When we do not have any cached answers
we need set cached answers to 'TRUE' instead of may_save_password
Patch by: stylesen
]]]
Thank You.
PS: Sorry for my poor explanation above with line numbers :(
--
Senthil Kumaran S
http://www.stylesen.org/
Re: multiple password prompts
Posted by David Glasser <gl...@davidglasser.net>.
On Sun, Jun 15, 2008 at 5:26 AM, Stefan Sperling <st...@elego.de> wrote:
> On Sat, Jun 14, 2008 at 01:49:51PM +0300, Daniel Shahaf wrote:
>> Stefan Sperling wrote on Sat, 14 Jun 2008 at 12:30 +0200:
>> > Do you have any idea what difference between the googlecode.com
>> > setup and my setup could cause the prompt appear twice for you?
>>
>> Did you try to reproduce against googlecode.com? Did you try both serf
>> and neon?
>
> Neither.
>
> I'd rather wait for David's reply before I continue poking in the dark.
I was using Neon. I try not to learn details about how the WebDAV
protocols work, at googlecode or elsewhere, because I find them
revolting.
--dave
--
David Glasser | glasser@davidglasser.net | http://www.davidglasser.net/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: multiple password prompts
Posted by Stefan Sperling <st...@elego.de>.
On Sat, Jun 14, 2008 at 01:49:51PM +0300, Daniel Shahaf wrote:
> Stefan Sperling wrote on Sat, 14 Jun 2008 at 12:30 +0200:
> > Do you have any idea what difference between the googlecode.com
> > setup and my setup could cause the prompt appear twice for you?
>
> Did you try to reproduce against googlecode.com? Did you try both serf
> and neon?
Neither.
I'd rather wait for David's reply before I continue poking in the dark.
Stefan
Re: multiple password prompts
Posted by Daniel Shahaf <d....@daniel.shahaf.co.il>.
Stefan Sperling wrote on Sat, 14 Jun 2008 at 12:30 +0200:
> I cannot reproduce this using a 1.4.4 server with trunk client.
>
...
>
> Caching the answer did work, I didn't get prompted in-between
> the listings.
>
> Hmmm, so it's not as simple as svn:// vs. https://
>
> Do you have any idea what difference between the googlecode.com
> setup and my setup could cause the prompt appear twice for you?
Did you try to reproduce against googlecode.com? Did you try both serf
and neon?
Daniel
> I guess there are many differences since the google setup is likely
> quite complex, but I hope we can somehow single out what's causing
> this bug.
>
> Stefan
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: multiple password prompts
Posted by Stefan Sperling <st...@elego.de>.
On Sat, Jun 14, 2008 at 11:07:59AM +0200, Stefan Sperling wrote:
> On Fri, Jun 13, 2008 at 03:58:57PM -0700, David Glasser wrote:
> > -----------------------------------------------------------------------
> > Store password unencrypted (yes/no)? yes
>
> > -----------------------------------------------------------------------
> > Store password unencrypted (yes/no)? yes
> > A REDACTED/trunk
> > A REDACTED/wiki
> > ...
> >
> >
> > Um. Why did it ask me the same question twice?
>
> Huh. Oh well, I thought I had fixed this.
> I'll setup a https server and try to reproduce.
I cannot reproduce this using a 1.4.4 server with trunk client.
My setup is simple -- the repository contains only a single
file called 'a', and requires authentication for any operation:
<Location /repos>
DAV svn
SVNPath /tmp/repos
AuthType Basic
AuthName "Subversion repository"
AuthUserFile /etc/apache2/svn-auth-file
Require valid-user
</Location>
stsp@jack [~] trunk-power $ svn --version | head -n2
svn, version 1.6.0 (dev build)
compiled Jun 14 2008, 12:08:15
I'll cause two RA sessions to be used by listing the repository
twice with a single command:
stsp@jack [~] trunk-power $ svn --config-dir /tmp/subversion ls https://localhost/repos https://localhost/repos
Error validating server certificate for 'https://localhost:443':
- The certificate is not issued by a trusted authority. Use the
fingerprint to validate the certificate manually!
- The certificate hostname does not match.
Certificate information:
- Hostname: jack.stsp.name
- Valid: from Sat, 14 Jun 2008 08:45:55 GMT until Sun, 14 Jun 2009 08:45:55 GMT
- Issuer: jack.stsp.name
- Fingerprint: c3:7b:f0:36:47:b4:dd:72:0e:a8:ed:6b:a9:4f:bf:e9:5b:df:b3:f9
(R)eject, accept (t)emporarily or accept (p)ermanently? t
Authentication realm: <https://localhost:443> Subversion repository
Password for 'stsp':
Authentication realm: <https://localhost:443> Subversion repository
Username: harry
Password for 'harry':
-----------------------------------------------------------------------
ATTENTION! Your password for authentication realm:
<https://localhost:443> Subversion repository
can only be stored to disk unencrypted! You are advised to configure
your system so that Subversion can store passwords encrypted, if
possible. See the documentation for details.
You can avoid future appearances of this warning by setting the value
of the 'store-plaintext-passwords' option to either 'yes' or 'no' in
'/tmp/subversion/servers'.
-----------------------------------------------------------------------
Store password unencrypted (yes/no)? yes
a
a
stsp@jack [~] trunk-power $
Caching the answer did work, I didn't get prompted in-between
the listings.
Hmmm, so it's not as simple as svn:// vs. https://
Do you have any idea what difference between the googlecode.com
setup and my setup could cause the prompt appear twice for you?
I guess there are many differences since the google setup is likely
quite complex, but I hope we can somehow single out what's causing
this bug.
Stefan
Re: multiple password prompts
Posted by Stefan Sperling <st...@elego.de>.
On Fri, Jun 13, 2008 at 03:58:57PM -0700, David Glasser wrote:
> -----------------------------------------------------------------------
> Store password unencrypted (yes/no)? yes
> -----------------------------------------------------------------------
> Store password unencrypted (yes/no)? yes
> A REDACTED/trunk
> A REDACTED/wiki
> ...
>
>
> Um. Why did it ask me the same question twice?
Huh. Oh well, I thought I had fixed this.
There are two RA sessions being opened. The answer you give to
the prompt during the first RA session should be cached and
reused in the second RA session.
I added support for this on the branch with the very long name
in r30793. There was a bug though, a pool life time issue caused
a crash when trying to retrieve the cached answer.
I fixed that in r30800.
There might be something wonky with the way I implemented this.
I have no idea why your answer isn't being cached. I tested this
over svn://, and it worked. Maybe it does not work over https
for some reason?
Anyway, this bit of code does not seem to be working as expected,
in case you want to help me dig into it:
subversion/libsvn_subr/simple-providers.c:
else if (b->plaintext_prompt_func)
{
/* We're interactive, and the client provided a
* prompt callback. So we can ask the user.
*
* Check for a cached answer before prompting. */
svn_boolean_t *cached_answer;
cached_answer = apr_hash_get(b->plaintext_answers,
realmstring,
APR_HASH_KEY_STRING);
if (cached_answer)
may_save_password = *cached_answer;
else
{
/* Nothing cached for this realm, prompt the user. */
Breaking at svn_auth__simple_save_creds_helper and looking what's
in the cache the second time is where I'd try looking first.
I'll setup a https server and try to reproduce.
Stefan