Fixed: SVN errors lead to svn username/password being displayed to end users (#1368).

git-svn-id: http://redmine.rubyforge.org/svn/trunk@1493 e93f8b46-1217-0410-a6f0-8f06a7374b81

1 files changed, 14 insertions, 3 deletions

diff --git a/lib/redmine/scm/adapters/abstract_adapter.rb b/lib/redmine/scm/adapters/abstract_adapter.rb
index 8fbae9ff8..9563ed800 100644
--- a/lib/redmine/scm/adapters/abstract_adapter.rb
+++ b/lib/redmine/scm/adapters/abstract_adapter.rb
@@ -118,7 +118,7 @@ module Redmine
         def logger
           RAILS_DEFAULT_LOGGER
         end
-      
+        
         def shellout(cmd, &block)
           logger.debug "Shelling out: #{cmd}" if logger && logger.debug?
           begin
@@ -127,11 +127,22 @@ module Redmine
               block.call(io) if block_given?
             end
           rescue Errno::ENOENT => e
+            msg = strip_credential(e.message)
             # The command failed, log it and re-raise
-            logger.error("SCM command failed: #{cmd}\n  with: #{e.message}")
-            raise CommandFailed.new(e.message)
+            logger.error("SCM command failed: #{strip_credential(cmd)}\n  with: #{msg}")
+            raise CommandFailed.new(msg)
           end
         end  
+        
+        # Hides username/password in a given command
+        def self.hide_credential(cmd)
+          q = (RUBY_PLATFORM =~ /mswin/ ? '"' : "'")
+          cmd.to_s.gsub(/(\-\-(password|username))\s+(#{q}[^#{q}]+#{q}|[^#{q}]\S+)/, '\\1 xxxx')
+        end
+        
+        def strip_credential(cmd)
+          self.class.hide_credential(cmd)
+        end
       end
       
       class Entries < Array