Page MenuHomeSoftware Heritage

origin_save: Reject save request when origin URL contains a password
ClosedPublic

Authored by anlambert on May 17 2022, 5:34 PM.

Details

Summary

For obvious security reasons, do not accept a Save Code Now request
for an origin URL containing a password in it as the list of submitted
requests are publicly browsable from the Web UI.

Nevertheless accept origin URLs with anonymous credentials (CVS ones
for instance).

Related to T4240

Diff Detail

Repository
rDWAPPS Web applications
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

Build has FAILED

Patch application report for D7843 (id=28336)

Rebasing onto f65bb5bc84...

Current branch diff-target is up to date.
Changes applied before test
commit f2d6fec278db0f5d045293343019ac8a95b2e3af
Author: Antoine Lambert <anlambert@softwareheritage.org>
Date:   Tue May 17 17:29:11 2022 +0200

    origin_save: Reject save request when origin URL contains a password
    
    For obvious security reasons, do not accept a Save Code Now request
    for an origin URL containing a password in it as the list of submitted
    requests are publicly browsable from the Web UI.
    
    Nevertheless accept origin URLs with anonymous credentials (CVS ones
    for instance).
    
    Related to T4240

Link to build: https://jenkins.softwareheritage.org/job/DWAPPS/job/tests-on-diff/1845/
See console output for more information: https://jenkins.softwareheritage.org/job/DWAPPS/job/tests-on-diff/1845/console

Harbormaster returned this revision to the author for changes because remote builds failed.May 17 2022, 5:57 PM
Harbormaster failed remote builds in B29440: Diff 28336!

Build has FAILED

Patch application report for D7843 (id=28336)

Rebasing onto f65bb5bc84...

Current branch diff-target is up to date.
Changes applied before test
commit f2d6fec278db0f5d045293343019ac8a95b2e3af
Author: Antoine Lambert <anlambert@softwareheritage.org>
Date:   Tue May 17 17:29:11 2022 +0200

    origin_save: Reject save request when origin URL contains a password
    
    For obvious security reasons, do not accept a Save Code Now request
    for an origin URL containing a password in it as the list of submitted
    requests are publicly browsable from the Web UI.
    
    Nevertheless accept origin URLs with anonymous credentials (CVS ones
    for instance).
    
    Related to T4240

Link to build: https://jenkins.softwareheritage.org/job/DWAPPS/job/tests-on-diff/1846/
See console output for more information: https://jenkins.softwareheritage.org/job/DWAPPS/job/tests-on-diff/1846/console

Build is green

Patch application report for D7843 (id=28336)

Rebasing onto f65bb5bc84...

Current branch diff-target is up to date.
Changes applied before test
commit f2d6fec278db0f5d045293343019ac8a95b2e3af
Author: Antoine Lambert <anlambert@softwareheritage.org>
Date:   Tue May 17 17:29:11 2022 +0200

    origin_save: Reject save request when origin URL contains a password
    
    For obvious security reasons, do not accept a Save Code Now request
    for an origin URL containing a password in it as the list of submitted
    requests are publicly browsable from the Web UI.
    
    Nevertheless accept origin URLs with anonymous credentials (CVS ones
    for instance).
    
    Related to T4240

See https://jenkins.softwareheritage.org/job/DWAPPS/job/tests-on-diff/1847/ for more details.

This revision is now accepted and ready to land.May 18 2022, 11:09 AM