Clear text cred display in mirror settings #235

New Issue

GiteaMirror · 2025-11-02T03:14:56-06:00

GiteaMirror commented

2025-11-02 03:14:56 -06:00

Originally created by @handnot2 on GitHub (Jan 14, 2017).

Gitea version (or commit ref): 1.0.1
Git version:
Operating system: Debian Jesse arm
Database (use [x]):
- PostgreSQL
- MySQL
- SQLite
Can you reproduce the bug at https://try.gitea.io:
- Yes (provide example URL)
- No
- Not relevant
Log gist:

Description

Create a mirror of a private repo by providing the GIT URL and credentials at the top of the
Mirror Settings section. Once the mirror is created, the page
(Settings > Mirror Settings > Mirror Address) shows the credential in clear (https://user:passwd@host:port/repo..).

It is better to remove this mirror address display. If it is still needed, at the least mask the password.

Originally created by @handnot2 on GitHub (Jan 14, 2017). - Gitea version (or commit ref): 1.0.1 - Git version: - Operating system: Debian Jesse arm - Database (use `[x]`): - [ ] PostgreSQL - [ ] MySQL - [x] SQLite - Can you reproduce the bug at https://try.gitea.io: - [ ] Yes (provide example URL) - [ ] No - [x] Not relevant - Log gist: ## Description Create a mirror of a private repo by providing the GIT URL and credentials at the top of the `Mirror Settings` section. Once the mirror is created, the page (`Settings` > `Mirror Settings` > `Mirror Address`) shows the credential in clear (https://`user:passwd`@host:port/repo..). It is better to remove this mirror address display. If it is still needed, at the least mask the password.

GiteaMirror added the issue/confirmed type/enhancement labels 2025-11-02 03:14:56 -06:00

GiteaMirror closed this issue

2025-11-02 03:14:56 -06:00

GiteaMirror commented

2025-11-02 03:14:56 -06:00

@bkcsoft commented on GitHub (Jan 14, 2017):

Just using net/url doing the following should suffice (Pseudo-code, variables might be off, here be dragons)

// scheme://[userinfo@]host/path[?query][#fragment]
url, err := url.Parse(repo.MirrorAddress)
// err-check
url.User = nil
ctx.Data["MirrorAddress"] = url.String()

Ref: https://golang.org/pkg/net/url/#URL.String

if u.User is nil, userinfo@ is omitted.

@bkcsoft commented on GitHub (Jan 14, 2017): Just using `net/url` doing the following should suffice (Pseudo-code, variables might be off, here be dragons) ```go // scheme://[userinfo@]host/path[?query][#fragment] url, err := url.Parse(repo.MirrorAddress) // err-check url.User = nil ctx.Data["MirrorAddress"] = url.String() ``` Ref: https://golang.org/pkg/net/url/#URL.String > if u.User is nil, userinfo@ is omitted.

GiteaMirror commented

2025-11-02 03:14:57 -06:00

@bkcsoft commented on GitHub (Jan 14, 2017):

You can also (if you want to see that auth is used) do the following to show https://******@example.com/foobar.git

if url.User {
  url.User = url.User(`********`)
}

Ref: https://golang.org/pkg/net/url/#User

@bkcsoft commented on GitHub (Jan 14, 2017): You can also (if you want to see that auth is used) do the following to show `https://******@example.com/foobar.git` ```go if url.User { url.User = url.User(`********`) } ``` Ref: https://golang.org/pkg/net/url/#User

GiteaMirror commented

2025-11-02 03:14:57 -06:00

@tboerger commented on GitHub (Jan 16, 2017):

IMHO this is not a real security issue because it's anyway only visible to repo admins. Beside that just replacing or wiping credentials without any workaround makes it impossible to update the settings without retyping the credentials over and over again.

@tboerger commented on GitHub (Jan 16, 2017): IMHO this is not a real security issue because it's anyway only visible to repo admins. Beside that just replacing or wiping credentials without any workaround makes it impossible to update the settings without retyping the credentials over and over again.

GiteaMirror commented

2025-11-02 03:14:57 -06:00

@bkcsoft commented on GitHub (Jan 16, 2017):

@tboerger to me it feels like a "over-the-shoulder" security issue, which IMO should be fixed. Though showing and editing doesn't have to be the same "box"

@bkcsoft commented on GitHub (Jan 16, 2017): @tboerger to me it feels like a "over-the-shoulder" security issue, which IMO should be fixed. Though showing and editing doesn't have to be the same "box"

GiteaMirror commented

2025-11-02 03:14:57 -06:00

@stale[bot] commented on GitHub (Feb 17, 2019):

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 weeks. Thank you for your contributions.

@stale[bot] commented on GitHub (Feb 17, 2019): This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 weeks. Thank you for your contributions.

GiteaMirror commented

2025-11-02 03:14:57 -06:00

@stale[bot] commented on GitHub (Apr 21, 2019):

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 weeks. Thank you for your contributions.

@stale[bot] commented on GitHub (Apr 21, 2019): This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 weeks. Thank you for your contributions.

GiteaMirror commented

2025-11-02 03:14:58 -06:00

@stale[bot] commented on GitHub (May 5, 2019):

This issue has been automatically closed because of inactivity. You can re-open it if needed.

@stale[bot] commented on GitHub (May 5, 2019): This issue has been automatically closed because of inactivity. You can re-open it if needed.

GiteaMirror commented

2025-11-02 03:14:58 -06:00

@mrsdizzie commented on GitHub (Sep 7, 2020):

Fixed in #7651

@mrsdizzie commented on GitHub (Sep 7, 2020): Fixed in #7651

GiteaMirror referenced this issue

2025-11-02 11:42:11 -06:00