Please explain how this can be reproduced.

In "Inject passwords to the build as environment variables", specifying a password foobar and saving, accessing the page afterwards results in 4l1OLblQ8negGA2Ldqe6HCiHhu+VGHtVSEQdPSSDna8= being entered in the password field (it's obviously much longer, and inspect element shows the value). Even when enabling password storage in my browser after saving the config page the first time (Firefox 28). Jenkins 1.532.2, env-inject 1.89.

We found this with the maven-metadata-plugin, where it's certainly more problematic than with EnvInject. If you save empty password fields (which with maven-metadata-plugin is "normal"), then e.g. Chrome will augment the POST with a saved Jenkins account password (and the user will not necessarily notice this).

But since the cure is easy and unintrusive, is it really important how often accidents might happen? I doubt you'll ever want autofill in these fields.

This is especially important in view of JENKINS-22338 where safari remembers the jenkins login and password and then proceed to fill that in in (e.g., for us) the perforce SCM section of projects! (We use a separate user for building in perforce, so this breaks the project on every edit of a project by a user using safari, unless they are aware and turn the feature to remember passwords off!)

Does this issue still occur in Jenkins 2.15 and newer, which disables autofill for most configuration forms completely?

Hi danielbeck , I would like to know is it possible to enable autofill function on Jenkins 2? It's very inconvenient for us to input every parameters every time.  

Thanks.

dimeng Allowing form autocompletion results in broken configurations in Jenkins, that's why we disabled it for forms in Jenkins. See JENKINS-18435 and all the issues linked from there.