You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@subversion.apache.org by "Ivan Zhakov (JIRA)" <ji...@apache.org> on 2016/04/29 10:15:13 UTC

[jira] [Updated] (SVN-4611) Passwords with percent character are not correctly retrieved from gpg-agent

     [ https://issues.apache.org/jira/browse/SVN-4611?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Ivan Zhakov updated SVN-4611:
-----------------------------
    Fix Version/s: 1.9.4

Fix was backported to 1.9.x branch and released in Subversion 1.9.4.

> Passwords with percent character are not correctly retrieved from gpg-agent
> ---------------------------------------------------------------------------
>
>                 Key: SVN-4611
>                 URL: https://issues.apache.org/jira/browse/SVN-4611
>             Project: Subversion
>          Issue Type: Bug
>          Components: libsvn_subr
>    Affects Versions: 1.8.5, 1.9.3
>         Environment: Unix-like (e.g. Linux, Solaris)
>            Reporter: Georg Sauthoff
>             Fix For: 1.9.4
>
>
> Steps to reproduce:
> 1. setup SVN server with password authentication
> 2. set juser's password to e.g. '%123secret'
> 2. install gpg-agent
> 3. execute as juser (at least two times such that gpg-agent kicks in): svn ls $project
> 4. execute `svn ls $project` one more time
> Actual result:
> In step 3, user is asked for his password after gpg-agent pinentry is successfully finished.
> In step 4, the last `svn ls $project` still yields a svn password prompt
> Expected result:
> In step 3, no more password prompt after gpg-agent pinentry is successfully finished.
> In step 4, the last `svn ls $project` doesn't ask for password since it is able to retrieve it from gpg-agent.
> How reproducible:
> always
> Workaround:
> replace % characters in your password, e.g. with '!' ones.
> Analysis:
> The 'svn' command issues a 'GET_PASSPHRASE --data' command, thus, special characters inside the password might be escaped via the percent character. Especially, % itself is escaped like this: %25. The code in gpg-agent.c doesn't seem to handle this, i.e. it doesn't try to 'parse' (i.e. unescape) % sequences.
> Perhaps it is even easier to drop the --data option, i.e. then all characters are hex encoded.
> See also:
> https://svn.apache.org/repos/asf/subversion/tags/1.9.3/subversion/libsvn_subr/gpg_agent.c
> https://svn.apache.org/repos/asf/subversion/tags/1.8.5/subversion/libsvn_subr/gpg_agent.c



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)