Bug #5594


Credentials in Repository Settings for Pull requests are exposed

Added by Andrew Mould about 4 years ago. Updated almost 4 years ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:
Commit Number:
Affected Version:


The Pull URL is hidden where specified on the settings screen. However on the Remote Sync screen, the URL is masked, but clearly visible when hovering the cursor over the masked URL, as well as obviously being visible in the page source. Makes the masking a little pointless, unless the idea is to avoid the person reading over your shoulder?!


2020-02-21_19-32-21.png (81.5 KB) 2020-02-21_19-32-21.png Andrew Mould, 22.02.2020 04:41
Actions #1

Updated by Marcin Kuzminski [CTO] about 4 years ago

Hi Andrew,

Could you attach a screenshot where is this happening?

Actions #2

Updated by Andrew Mould about 4 years ago

Here you go the floatover contents are shown at the bottom

Actions #3

Updated by Marcin Kuzminski [CTO] about 4 years ago

This isn't a mistake then. The visible part is hidden from someone seeing it on the screen. The url has credentials on it (and some browsers show it, some not) so users are able to click on the URL and access it fully with the credentials.

That being said we'll discuss this again security-wise. Clearly that's convenience over security and this can be done better here.

Actions #4

Updated by Andrew Mould about 4 years ago

Agreed. But all browsers will allow viewing the underlying html source, which obviously also contains the credentials in the link... if people think to look there.

To my mind the link is not needed to be shown there at all. All that's needed is the button "Pull changes from remote location", which doesn't need any credentials in it.

It all depends on what your goal is here, which I can't speak to. To me it was just an inconsistency, so I thought it should get a second look to make sure it was achieving what you were intending.

Actions #5

Updated by Marcin Kuzminski [CTO] almost 4 years ago

  • Status changed from New to Resolved

This was fixed/changed in 4.19.X


Also available in: Atom PDF