Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Plaintext passwords logged on authentication failure to Git HTTP interface #612

Closed
gitblit opened this issue Aug 12, 2015 · 3 comments
Closed

Comments

@gitblit
Copy link
Owner

@gitblit gitblit commented Aug 12, 2015

Originally reported on Google Code with ID 316

What steps will reproduce the problem?
1. Attempt a git clone of a Gitblit served repository over HTTP
2. Provide an incorrect password

e.g.  http://<USER>@git/git/repo.git

What is the expected output? What do you see instead?

The Gitblit logs contain an entry recording the failed authentication attempt, specifying
the userID.
If a failed login occurs to the user interface, this logs only the user ID.
If the failed login occurs to the Git HTTP interface, the password provided is logged
in plain text.

What version of the product are you using? On what operating system?

1.3.1, LDAP authentication integrated with Active Directory

Please provide any additional information below.

This problem is exacerbated if a user account has been locked by some other action
(which is surprisingly common in enterprise networks) as in that case correct passwords
will fail authentication and be logged.

Reported by ultradodge on 2013-09-27 02:53:06

@gitblit
Copy link
Owner Author

@gitblit gitblit commented Aug 12, 2015

The log message containing the password is as follows:

<DATE> GitBlit [WARN] Failed login attempt for <USER>, invalid credentials (<USER>:<PASSWORD>)
from <ADDRESS>

Reported by ultradodge on 2013-09-27 02:54:36

@gitblit
Copy link
Owner Author

@gitblit gitblit commented Aug 12, 2015

Fix pushed to master.

Reported by James.Moger on 2013-09-27 12:03:47

  • Status changed: Queued
  • Labels added: Milestone-1.4.0

@gitblit
Copy link
Owner Author

@gitblit gitblit commented Aug 12, 2015

1.4.0 released.

Reported by James.Moger on 2014-03-09 18:06:21

  • Status changed: Done

@gitblit gitblit closed this as completed Aug 12, 2015
@flaix flaix added this to the 1.4.0 milestone Dec 13, 2016
@flaix flaix added this to the 1.4.0 milestone Dec 13, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants