Project

General

Profile

Bug #5594

Credentials in Repository Settings for Pull requests are exposed

Added by Andrew Mould 4 months ago. Updated about 1 month ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
22.02.2020
Due date:
% Done:

0%

Estimated time:
Sorting:
Commit Number:
Affected Version:

Description

The Pull URL is hidden where specified on the settings screen. However on the Remote Sync screen, the URL is masked, but clearly visible when hovering the cursor over the masked URL, as well as obviously being visible in the page source. Makes the masking a little pointless, unless the idea is to avoid the person reading over your shoulder?!

2020-02-21_19-32-21.png (81.5 KB) 2020-02-21_19-32-21.png Andrew Mould, 22.02.2020 04:41
3067

History

#1 Updated by Marcin Kuzminski [CTO] 4 months ago

Hi Andrew,

Could you attach a screenshot where is this happening?

#2 Updated by Andrew Mould 4 months ago

3067

Here you go the floatover contents are shown at the bottom

#3 Updated by Marcin Kuzminski [CTO] 4 months ago

This isn't a mistake then. The visible part is hidden from someone seeing it on the screen. The url has credentials on it (and some browsers show it, some not) so users are able to click on the URL and access it fully with the credentials.

That being said we'll discuss this again security-wise. Clearly that's convenience over security and this can be done better here.

#4 Updated by Andrew Mould 4 months ago

Agreed. But all browsers will allow viewing the underlying html source, which obviously also contains the credentials in the link... if people think to look there.

To my mind the link is not needed to be shown there at all. All that's needed is the button "Pull changes from remote location", which doesn't need any credentials in it.

It all depends on what your goal is here, which I can't speak to. To me it was just an inconsistency, so I thought it should get a second look to make sure it was achieving what you were intending.

#5 Updated by Marcin Kuzminski [CTO] about 1 month ago

  • Status changed from New to Resolved

This was fixed/changed in 4.19.X

Also available in: Atom PDF