On Tuesday, February 26, 2013 at 3:46 AM, James Howe wrote:

Anything set in Build Environment under mask passwords is also listed
by your plugin, as well as the global passwords under Configure
System.
It's http://wiki.jenkins-ci.org/display/JENKINS/Mask+Passwords+Plugin
by the way - and I've not noticed any other plugins we have installed
leaking them in plaintext.

On 25 February 2013 23:25, Nalin <nalin.makar@gmail.com> wrote:
Thanks James for reporting the issue. I got a bit lazy/busy and didn't get
around to getting everything configured. I'll work on getting these resolved
soon.

While you're implementing masked passwords correctly, may I also
suggest that the report only lists actually paramaterized properties,
otherwise it gets quite hard to spot the ones that are changing at a
glance.

Can you give an example? Isn't that what it's already doing? It only lists
out the actual parameters. What are you seeing?

-nalin

On Monday, February 25, 2013 at 8:46 AM, James Howe wrote:

I was about to go file a quite major bug, but then discovered you've
not got an entry on Jenkins JIRA, the Source Code link on Jenkins wiki
points to the wrong place, and your actual github repository has
Issues disabled.

Anyway, your plugin rather kindly exposes all the Global and Project
passwords, unmasked, for anyone to see.
As you can imagine, this is quite a large flaw and means we can't use
it (and have to do some cleanup to remove the offending plaintext).

While you're implementing masked passwords correctly, may I also
suggest that the report only lists actually paramaterized properties,
otherwise it gets quite hard to spot the ones that are changing at a
glance.

Regards,
James