-
Bug
-
Resolution: Fixed
-
Critical
-
Team Foundation Server Plugin v3.0.1
The password that is entered in the job configuration when connecting to TFS is visible in the browsers "view source". This is a big issue for us because we need to use our domain users to connect to TFS and Jenkins is open to everyone in the company.
The value in the password field when you enter configuration and the password was already set should be a placeholder that indicates the server that the password didn't change from the last time (something like "samepassword", but more complex, to avoid actual users from using that password).
[JENKINS-23033] TFS Password visible in view source
Code changed in jenkins
User: Nicolas De Loof
Path:
src/main/java/hudson/plugins/tfs/TeamFoundationServerScm.java
src/main/resources/hudson/plugins/tfs/TeamFoundationServerScm/config.jelly
src/test/java/hudson/plugins/tfs/browsers/TeamSystemWebAccessBrowserTest.java
http://jenkins-ci.org/commit/tfs-plugin/bd98b91ea614c307a6bb1e0af36d9dd2a5646e29
Log:
[FIXED JENKINS-23033] don’t use String but Secret to store password
UI binding will use a cipher and avoid it to be exposed as plain text in HTML form.
Gil CHADLY
added a comment - Hi, you said that this issue was fixed in the version 3.2.0 is that a Jenkins version? I thought the lattest one nowadays was 1.633.
Gil CHADLY
added a comment - Hi, you said that this issue was fixed in the version 3.2.0 is that a Jenkins version? I thought the lattest one nowadays was 1.633. 
Code changed in jenkins
User: Nicolas De Loof
Path:
pom.xml
src/main/java/hudson/plugins/tfs/TeamFoundationServerScm.java
src/main/resources/hudson/plugins/tfs/TeamFoundationServerScm/config.jelly
src/test/java/hudson/plugins/tfs/browsers/TeamSystemWebAccessBrowserTest.java
http://jenkins-ci.org/commit/tfs-plugin/5e391d94d936c5837048d63eb83b7a11a9ffdcdd
Log:
[FIXED JENKINS-23033] don’t use String but Secret to store password
UI binding will use a cipher and avoid it to be exposed as plain text in HTML form.