P2D2::Password leak via DNS query

Create issue
Issue #97 resolved
felddy created an issue

== Summary == When setting up a "Server Repository" MacHg may make a DNS request that exposes the secret password of the user.

== Steps to Reproduce == Add Server Repository... In the Server URL field enter "https://example.com" Check the "Use Password" checkbox In the Password field enter "secretpassword" * Tab out of field or click "test" button.

MacHg will make a DNS lookup for a "secretpasswordexample.com"

== Version == MacHg 0.9.8 53d449e329b2

Comments (4)

  1. Jason Harris repo owner

    Hmmm... Not good. This should be fixed. Any volunteers want to investigate what is going on in the function:

    authorizeForShowingPassword, its fairly self contained from the rest of MacHg and would be an excellent help for me if anyone knows stuff about Authorization services on OSX eg AuthorizationRef, AuthorizationItem, AuthorizationCopyRights, etc.

  2. Log in to comment