-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
Jenkins 1.556 envinject 1.89
The "envInjectPasswordEntry.password" input field in the job config, and also the related field in the global config, should get an autocomplete="off" attribute – else there's the real danger of leaking the Jenkins login password by browser auto-fill.
- is related to
-
-
- Open
-
-
-
- Closed
-
[JENKINS-22629] Prevent autofill of password entry fields
Jürgen Hermann
created issue -
Jürgen Hermann
made changes -
| Link | New: This issue is related to JENKINS-22288 [ JENKINS-22288 ] |
Jürgen Hermann
added a comment - We found this with the maven-metadata-plugin, where it's certainly more problematic than with EnvInject. If you save empty password fields (which with maven-metadata-plugin is "normal"), then e.g. Chrome will augment the POST with a saved Jenkins account password (and the user will not necessarily notice this).
But since the cure is easy and unintrusive, is it really important how often accidents might happen? I doubt you'll ever want autofill in these fields.
Jürgen Hermann
added a comment - We found this with the maven-metadata-plugin, where it's certainly more problematic than with EnvInject. If you save empty password fields (which with maven-metadata-plugin is "normal"), then e.g. Chrome will augment the POST with a saved Jenkins account password (and the user will not necessarily notice this).
But since the cure is easy and unintrusive, is it really important how often accidents might happen? I doubt you'll ever want autofill in these fields. | Link |
New:
This issue is related to |
This is especially important in view of JENKINS-22338 where safari remembers the jenkins login and password and then proceed to fill that in in (e.g., for us) the perforce SCM section of projects! (We use a separate user for building in perforce, so this breaks the project on every edit of a project by a user using safari, unless they are aware and turn the feature to remember passwords off!)
Arnt Witteveen
added a comment - - edited This is especially important in view of JENKINS-22338 where safari remembers the jenkins login and password and then proceed to fill that in in (e.g., for us) the perforce SCM section of projects! (We use a separate user for building in perforce, so this breaks the project on every edit of a project by a user using safari, unless they are aware and turn the feature to remember passwords off!) | Workflow | Original: JNJira [ 154739 ] | New: JNJira + In-Review [ 178904 ] |
Does this issue still occur in Jenkins 2.15 and newer, which disables autofill for most configuration forms completely?
di meng
made changes -
| Assignee | Original: Gregory Boissinot [ gbois ] | New: di meng [ dimeng ] |
di meng
made changes -
| Assignee | Original: di meng [ dimeng ] |
Please explain how this can be reproduced.
In "Inject passwords to the build as environment variables", specifying a password foobar and saving, accessing the page afterwards results in 4l1OLblQ8negGA2Ldqe6HCiHhu+VGHtVSEQdPSSDna8= being entered in the password field (it's obviously much longer, and inspect element shows the value). Even when enabling password storage in my browser after saving the config page the first time (Firefox 28). Jenkins 1.532.2, env-inject 1.89.