•  
      request #12476 Identical user secrets should not be distinguishable in the SVN Redis cache
    Infos
    #12476
    Thomas Gerbet (tgerbet)
    2018-11-21 14:44
    2018-10-31 10:54
    12517
    Details
    Identical user secrets should not be distinguishable in the SVN Redis cache
    request #11654 has introduced a secret cache stored in Redis to solve some performance issues when doing SVN operations.

    As this cache is short lived and should allow fast comparison with a secret provided by a user it does not have all the properties of a password storage designed for being long lived.
    The secret cache should however do whatever is possible to protect the secrets in the best possible ways. Currently, the cache allows a malicious Redis administrator to be able to see if the secrets are identical or not between users. This should not be possible.
    Empty
    SCM/Subversion
    All
    Empty
    Empty
    Stage
    Empty
    Closed
    2018-11-21
    Attachments
    Empty
    References

    List of items referenced by or referencing this item.

    Artifact Tracker v5

    Follow-ups