Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-14687

Password is exposed through browser option "view page source"

XMLWordPrintable

      The password you provide to Mask Password plugin is visible as plain text when you view the configure (either global or job specific) page sources.

          [JENKINS-14687] Password is exposed through browser option "view page source"

          Gregory Boissinot added a comment -

          For information, the EnvInject plugin meets your need. It support password variables and passwords values are hidden when you source the generated page.

          Gregory Boissinot added a comment - For information, the EnvInject plugin meets your need. It support password variables and passwords values are hidden when you source the generated page.

          Daniel Petisme added a comment -

          The Mask password plugin aims to hide your passwords in the jobs console output...
          It can be an interesting/mandatory ER for the next release. I hope to have to time to spend on this improve. I keep you informed.

          Daniel Petisme added a comment - The Mask password plugin aims to hide your passwords in the jobs console output... It can be an interesting/mandatory ER for the next release. I hope to have to time to spend on this improve. I keep you informed.

          SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Nicolas De Loof
          Path:
          src/main/resources/com/michelin/cio/hudson/plugins/maskpasswords/MaskPasswordsBuildWrapper/config.jelly
          http://jenkins-ci.org/commit/mask-passwords-plugin/9ba2d2b643610ba4e729164a59d94402d9a763eb
          Log:
          [FIXED JENKINS-14687] encrypt password in HTML

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Nicolas De Loof Path: src/main/resources/com/michelin/cio/hudson/plugins/maskpasswords/MaskPasswordsBuildWrapper/config.jelly http://jenkins-ci.org/commit/mask-passwords-plugin/9ba2d2b643610ba4e729164a59d94402d9a763eb Log: [FIXED JENKINS-14687] encrypt password in HTML

          Daniel Beck added a comment -

          Fix does not apply to global Jenkins config password form.

          Daniel Beck added a comment - Fix does not apply to global Jenkins config password form.

          Jesse Glick added a comment -

          @danielbeck what do you mean by that? Are you referring to VarPasswordPair? The Jelly looks correct to me.

          Jesse Glick added a comment - @danielbeck what do you mean by that? Are you referring to VarPasswordPair ? The Jelly looks correct to me.

          Daniel Beck added a comment -

          jglick I meant global as in global.jelly:

          https://github.com/jenkinsci/mask-passwords-plugin/blob/master/src/main/resources/com/michelin/cio/hudson/plugins/maskpasswords/MaskPasswordsBuildWrapper/global.jelly#L48

          The fix is incomplete.

          Daniel Beck added a comment - jglick I meant global as in global.jelly : https://github.com/jenkinsci/mask-passwords-plugin/blob/master/src/main/resources/com/michelin/cio/hudson/plugins/maskpasswords/MaskPasswordsBuildWrapper/global.jelly#L48 The fix is incomplete.

          Jesse Glick added a comment -

          True, that should be using passwordAsSecret rather than password. A properly written test against Jenkins 1.551+ ought to fail given this kind of mistake: https://github.com/jenkinsci/jenkins/commit/bf53919

          Jesse Glick added a comment - True, that should be using passwordAsSecret rather than password . A properly written test against Jenkins 1.551+ ought to fail given this kind of mistake: https://github.com/jenkinsci/jenkins/commit/bf53919

          Oleg Nenashev added a comment -

          The issue has been resolved in 2.7.3

          Oleg Nenashev added a comment - The issue has been resolved in 2.7.3

            danielpetisme Daniel Petisme
            miktap Mikko Tapaninen
            Votes:
            3 Vote for this issue
            Watchers:
            9 Start watching this issue

              Created:
              Updated:
              Resolved: