[BUG] Don't include username in URL on checkout

[Quinn Taylor]

I know the merit of including the username in the repository URL when  
setting up a repository bookmark has already been debated (and I'm  
still against it, though not so much so that it's worth quarreling  
about at this point) but I just ran into an offshoot of this that is  
truly annoying.


I discovered that for working copies checked out with Versions, when  
the repository requires authentication, the username is hard-coded in  
the URL for the working copy. That is to say, using `svn info` from  
the command line shows URLs of the form http://usern...@server.example.com/repository/path 
. When I want to copy/paste the URL of a specific resource to send it  
to someone, this adds a step of removing the username and "@" sign,  
and it makes the URL longer unnecessarily. This *might* even be viewed  
as a security liability, since if an attacker is able to see the  
username in the URL, they know a valid login for which they can guess  
passwords. (I'm aware that the last changed author is also shown by  
svn info, but I use custom scripts that parse out the root and  
resource URLs for me in a convenient form without showing anything  
else.)


I would strongly suggest that this behavior be changed, and that the  
username be passed with the --username option (or whatever the  
equivalent is for the SVN API). I have the same beef with Xcode — they  
also put the username in the URL on checkout, and I'm filing a bug  
against that as well.


Thanks,
  - Quinn

smime.p7s
Description: S/MIME cryptographic signature

Re: [BUG] Don't include username in URL on checkout

[Dan O'Keefe]

I could not agree more. I am evaluating versions and cornerstone, and I 
cannot get a repository bookmark (why change the name, I hate that, its a 
repository!!) connected to my own SVN server. In tortoise, it would take my 
5 seconds. BAck to Cornerstone for now.

On Tuesday, April 21, 2009 1:52:42 PM UTC-7, Quinn Taylor wrote:
>
> I know the merit of including the username in the repository URL when  
> setting up a repository bookmark has already been debated (and I'm  
> still against it, though not so much so that it's worth quarreling  
> about at this point) but I just ran into an offshoot of this that is  
> truly annoying.
>
> I discovered that for working copies checked out with Versions, when  
> the repository requires authentication, the username is hard-coded in  
> the URL for the working copy. That is to say, using `svn info` from  
> the command line shows URLs of the form 
> http://usern...@server.example.com/repository/path 
> . When I want to copy/paste the URL of a specific resource to send it  
> to someone, this adds a step of removing the username and "@" sign,  
> and it makes the URL longer unnecessarily. This *might* even be viewed  
> as a security liability, since if an attacker is able to see the  
> username in the URL, they know a valid login for which they can guess  
> passwords. (I'm aware that the last changed author is also shown by  
> svn info, but I use custom scripts that parse out the root and  
> resource URLs for me in a convenient form without showing anything  
> else.)
>
> I would strongly suggest that this behavior be changed, and that the  
> username be passed with the --username option (or whatever the  
> equivalent is for the SVN API). I have the same beef with Xcode — they  
> also put the username in the URL on checkout, and I'm filing a bug  
> against that as well.
>
> Thanks,
>- Quinn
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Versions" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to versions+unsubscr...@googlegroups.com.
To post to this group, send email to versions@googlegroups.com.
Visit this group at http://groups.google.com/group/versions.
For more options, visit https://groups.google.com/groups/opt_out.