Georg Sauthoff created SVN-4611:
-----------------------------------
Summary: Passwords with percent character are not correctly
retrieved from gpg-agent
Key: SVN-4611
URL: https://issues.apache.org/jira/browse/SVN-4611
Project: Subversion
Issue Type: Bug
Components: libsvn_subr
Affects Versions: 1.9.3, 1.8.5
Environment: Unix-like (e.g. Linux, Solaris)
Reporter: Georg Sauthoff
Steps to reproduce:
1. setup SVN server with password authentication
2. set juser's password to e.g. '%123secret'
2. install gpg-agent
3. execute as juser (at least two times such that gpg-agent kicks in): svn ls
$project
4. execute `svn ls $project` one more time
Actual result:
In step 3, user is asked for his password after gpg-agent pinentry is
successfully finished.
In step 4, the last `svn ls $project` still yields a svn password prompt
Expected result:
In step 3, no more password prompt after gpg-agent pinentry is successfully
finished.
In step 4, the last `svn ls $project` doesn't ask for password since it is able
to retrieve it from gpg-agent.
How reproducible:
always
Workaround:
replace % characters in your password, e.g. with '!' ones.
Analysis:
The 'svn' command issues a 'GET_PASSPHRASE --data' command, thus, special
characters inside the password might be escaped via the percent character.
Especially, % itself is escaped like this: %25. The code in gpg-agent.c doesn't
seem to handle this, i.e. it doesn't try to 'parse' (i.e. unescape) % sequences.
Perhaps it is even easier to drop the --data option, i.e. then all characters
are hex encoded.
See also:
https://svn.apache.org/repos/asf/subversion/tags/1.9.3/subversion/libsvn_subr/gpg_agent.c
https://svn.apache.org/repos/asf/subversion/tags/1.8.5/subversion/libsvn_subr/gpg_agent.c
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
