What version are you running?
post-review 0.8
Please provide any additional information below.
When using the --password parameter, the password for that user is visible
to everybody on the machine (e.g. with "ps ax" on Linux).
One should be able to set the password in configuration file, which then
can be configured to be readable only by the user running post-review. That
way there is no password leak.
I put that has a defect because it can be a big security leak, especially
when post-review is run by an automated tool like a post-commit hook. In
this setup, post-review needs to have access to the whole
repository/repositories on the server so if a user can get hold of this
password, he can circumvent any read limitation in the SCM.
This bug can be mitigated with the cookie (but then it means that every
year, the admin must remember to renew it)
