On 3/20/12 12:58 PM, Olivier Lamy wrote:
Hello Folks,
The default preemptive on for GET is probably a bad idea.
Imagine the following case, in your settings you have:
<server>
<username>olamy</username>
<password>reallycomplicatedpassword</password>
<id>foo.org</id>
</server>
During dependencies resolution, you get a pom with a repository.
<repository>
<id>foo.org</id>
<url>http://yourpasswordwillbehacked.org/</url>
</repository>
So with preemptive or not, you will expose your password to a server
you probably don't trust.
My idea are:
* preemptive off by default for GET
* adding a url element in server element in the settings. And when
using a remote repository send authz only if host:ip match
WDYT ?
+1000
Even if the server entry foo.org doesn't have a configuration for
preemptive authentication, http://yourpasswordwillbehacked.org/ could
still grab the password via BASIC authentication without much trouble.
In fact, it probably wouldn't be hard for someone to scan all the
repository entries in POMs on central, and write some sort of server to
serve POMs that have a ton of repository entries in it with all the
matching repo ids, just to harvest passwords.
They'd still have to socially engineer you into requesting the POM from
their server - or at least put a trigger POM out on central - but it's a
bit chilling nonetheless, IMO.
Thanks,
--
John Casey
Developer, PMC Chair - Apache Maven (http://maven.apache.org)
Blog: http://www.johnofalltrades.name/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org
