Status: New Owner: ---- Labels: Type-Defect Priority-Medium
New issue 1560 by nahor.j: post-review: password should be configurable via a config file instead of the command line
http://code.google.com/p/reviewboard/issues/detail?id=1560 What version are you running? post-review 0.8 Please provide any additional information below. When using the --password parameter, the password for that user is visible to everybody on the machine (e.g. with "ps ax" on Linux). One should be able to set the password in configuration file, which then can be configured to be readable only by the user running post-review. That way there is no password leak. I put that has a defect because it can be a big security leak, especially when post-review is run by an automated tool like a post-commit hook. In this setup, post-review needs to have access to the whole repository/repositories on the server so if a user can get hold of this password, he can circumvent any read limitation in the SCM. This bug can be mitigated with the cookie (but then it means that every year, the admin must remember to renew it) -- You received this message because you are listed in the owner or CC fields of this issue, or because you starred this issue. You may adjust your issue notification preferences at: http://code.google.com/hosting/settings -- You received this message because you are subscribed to the Google Groups "reviewboard-issues" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/reviewboard-issues?hl=en.
