passwords being logged and shown in the clear

[krcb197]

It is possible to run the module by passing in a user name and password, for example:

svn_report = svn.remote.RemoteClient(svn_item, username=user_name, password=mypassword_as_a_string )
svn_report.export(target_dir)

Even if you have followed all the good practices for handling passwords within your code, the svn package has two issues:

• in the CommonBase the full svn command is sent to the debug log
• In the event of failure full command is sent to the exception, which then shows in many places

The password should be obscured before the errors or logs are made

[krcb197]

This ticket is a partial duplicate of #125

[krcb197]

I have submitted a Pull Request with a fix in it. Hopefully it will be accepted.

[rjfs]

Any plans for accepting the PR? I must admit I don't feel safe using the package with this problem on it.

[krcb197]

This issue only affects the case where the credentials are being passed through Python. In many case there are other ways to avoid the issue:

• including letting the SVN executable cache the credentials
• passing them through an environment variable.

That said I am not sure who we need to lobby/persuade to get the updates through.