FTP username and password must be written on command line (security hazard)

Bug #34685 reported by Michal Krenek (Mikos) on 2006-03-13
This bug affects 1 person
Affects Status Importance Assigned to Milestone

Bug Description

If I want to use for 'push' command with FTP, I must specify username and password on command line, for example:

bzr push ftp://username:<email address hidden>

This is really bad behaviour and security hazard (password can be for example seen in BASH history), there should be dialog for username and password if it is not specified on command line.

There is already method ui_factory.get_password used in SFTP, why not use it also in FTP?

description: updated
Michal Krenek (Mikos) (mikos) wrote :

I think this is really critical bug (because of security hazard), so I have rised severity to "Critical" and priority to "High", I hope it will be corrected in version 0.8.

If this is not right practice, then I am sorry and you can correct severity/priority to right value.

I am beginner in Python, but even though I have tried to make patch. I have used bzrlib/transport/sftp.py like model example for me. It works well, but like I said I am beginner, so please verify it if it is good solution.

If it is good, please somebody merge it to bzr.dev.

James Blackwell (jblack) wrote :

I agree that this is a bug that needs to get resolved prior to the first stable. The user isn't unknowningly exposing his password.

As such, I've downgraded the bug to normal but have confirmed it.

I don't think that the patch solves the problem in quite the right way. Perhaps we can work through the solution for this one together.

Changed in bzr:
status: Unconfirmed → Confirmed
Matthieu Moy (matthieu-moy) wrote :

Not considering this as security critical is IMHO a mistake.

the password appears not only an the screen and in the shell history, but also in the output of "ps -aux" for any other user on the machine.

There is already a proposal to fix it here :


(this is the "not 100% secure, but convenient and mostly satisfying" method. The command-line prompt is also useful for people accepting to type the password repeatedly and not willing to store it on disk)

Martin Pool (mbp) wrote :

Fixed prior to 0.15.

Changed in bzr:
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers