Skip to main content

Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

    •  
      request #12476 Identical user secrets should not be distinguishable in the SVN Redis cache
    Actions
    Infos
    #12476
    Thomas Gerbet (tgerbet)
    2018-11-21 14:44
    2018-10-31 10:54
    13185
    Details
    Identical user secrets should not be distinguishable in the SVN Redis cache
    request #11654 has introduced a secret cache stored in Redis to solve some performance issues when doing SVN operations.

    As this cache is short lived and should allow fast comparison with a secret provided by a user it does not have all the properties of a password storage designed for being long lived.
    The secret cache should however do whatever is possible to protect the secrets in the best possible ways. Currently, the cache allows a malicious Redis administrator to be able to see if the secrets are identical or not between users. This should not be possible.
    SCM/Subversion
    All
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Empty
    Closed
    2018-11-21
    Attachments
    Artifact links

    Releases

    Fixed in

    Artifact ID Project Tracker Summary Status Last Update Date Submitted By Assigned to
    rel #12269 Tuleap Releases 10.8 Delivered 2018-12-07 15:14 Manuel Vacelet (vaceletm)
    Empty
    References
    Referencing request #12476

    Git commit

    tuleap/tuleap/stable

    Merge commit 'refs/changes/19/13019/3' of ssh://gerrit.tuleap.net:29418/tuleap into HEAD 9f74e9b871
    User avatar Nicolas Terray (nterray) , 2018-11-21 14:43
    request #12476: Identical user secrets should not be distinguishable in the SVN Redis cache df03d411a4
    User avatar Thomas Gerbet (tgerbet) , 2018-11-19 09:58
    Display settings

    Follow-ups