Clear text cred display in mirror settings #672
Comments
|
Just using // scheme://[userinfo@]host/path[?query][#fragment]
url, err := url.Parse(repo.MirrorAddress)
// err-check
url.User = nil
ctx.Data["MirrorAddress"] = url.String()Ref: https://golang.org/pkg/net/url/#URL.String
|
|
You can also (if you want to see that auth is used) do the following to show if url.User {
url.User = url.User(`********`)
} |
|
IMHO this is not a real security issue because it's anyway only visible to repo admins. Beside that just replacing or wiping credentials without any workaround makes it impossible to update the settings without retyping the credentials over and over again. |
|
@tboerger to me it feels like a "over-the-shoulder" security issue, which IMO should be fixed. Though showing and editing doesn't have to be the same "box" |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 weeks. Thank you for your contributions. |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 weeks. Thank you for your contributions. |
|
This issue has been automatically closed because of inactivity. You can re-open it if needed. |
lunny
added
the
issue/confirmed
|
Fixed in #7651 |
[x]):Description
Create a mirror of a private repo by providing the GIT URL and credentials at the top of the
Mirror Settingssection. Once the mirror is created, the page(
Settings>Mirror Settings>Mirror Address) shows the credential in clear (https://user:passwd@host:port/repo..).It is better to remove this mirror address display. If it is still needed, at the least mask the password.
The text was updated successfully, but these errors were encountered: