Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-23033

TFS Password visible in view source

    XMLWordPrintable

Details

    Description

      The password that is entered in the job configuration when connecting to TFS is visible in the browsers "view source". This is a big issue for us because we need to use our domain users to connect to TFS and Jenkins is open to everyone in the company.
      The value in the password field when you enter configuration and the password was already set should be a placeholder that indicates the server that the password didn't change from the last time (something like "samepassword", but more complex, to avoid actual users from using that password).

      Attachments

        Activity

          mompox Roberto Powell created issue -

          Code changed in jenkins
          User: Nicolas De Loof
          Path:
          pom.xml
          src/main/java/hudson/plugins/tfs/TeamFoundationServerScm.java
          src/main/resources/hudson/plugins/tfs/TeamFoundationServerScm/config.jelly
          src/test/java/hudson/plugins/tfs/browsers/TeamSystemWebAccessBrowserTest.java
          http://jenkins-ci.org/commit/tfs-plugin/5e391d94d936c5837048d63eb83b7a11a9ffdcdd
          Log:
          [FIXED JENKINS-23033] don’t use String but Secret to store password
          UI binding will use a cipher and avoid it to be exposed as plain text in HTML form.

          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Nicolas De Loof Path: pom.xml src/main/java/hudson/plugins/tfs/TeamFoundationServerScm.java src/main/resources/hudson/plugins/tfs/TeamFoundationServerScm/config.jelly src/test/java/hudson/plugins/tfs/browsers/TeamSystemWebAccessBrowserTest.java http://jenkins-ci.org/commit/tfs-plugin/5e391d94d936c5837048d63eb83b7a11a9ffdcdd Log: [FIXED JENKINS-23033] don’t use String but Secret to store password UI binding will use a cipher and avoid it to be exposed as plain text in HTML form.
          scm_issue_link SCM/JIRA link daemon made changes -
          Field Original Value New Value
          Resolution Fixed [ 1 ]
          Status Open [ 1 ] Resolved [ 5 ]

          Code changed in jenkins
          User: Nicolas De Loof
          Path:
          src/main/java/hudson/plugins/tfs/TeamFoundationServerScm.java
          src/main/resources/hudson/plugins/tfs/TeamFoundationServerScm/config.jelly
          src/test/java/hudson/plugins/tfs/browsers/TeamSystemWebAccessBrowserTest.java
          http://jenkins-ci.org/commit/tfs-plugin/bd98b91ea614c307a6bb1e0af36d9dd2a5646e29
          Log:
          [FIXED JENKINS-23033] don’t use String but Secret to store password
          UI binding will use a cipher and avoid it to be exposed as plain text in HTML form.

          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Nicolas De Loof Path: src/main/java/hudson/plugins/tfs/TeamFoundationServerScm.java src/main/resources/hudson/plugins/tfs/TeamFoundationServerScm/config.jelly src/test/java/hudson/plugins/tfs/browsers/TeamSystemWebAccessBrowserTest.java http://jenkins-ci.org/commit/tfs-plugin/bd98b91ea614c307a6bb1e0af36d9dd2a5646e29 Log: [FIXED JENKINS-23033] don’t use String but Secret to store password UI binding will use a cipher and avoid it to be exposed as plain text in HTML form.
          oli_at_jsi Olivier Dagenais made changes -
          Assignee redsolo [ redsolo ] Olivier Dagenais [ oli_at_jsi ]
          Labels password security

          Fixed in version 3.2.0

          oli_at_jsi Olivier Dagenais added a comment - Fixed in version 3.2.0
          oli_at_jsi Olivier Dagenais made changes -
          Status Resolved [ 5 ] Closed [ 6 ]
          gil_ali Gil CHADLY added a comment -

          Hi, you said that this issue was fixed in the version 3.2.0 is that a Jenkins version? I thought the lattest one nowadays was 1.633.

          gil_ali Gil CHADLY added a comment - Hi, you said that this issue was fixed in the version 3.2.0 is that a Jenkins version? I thought the lattest one nowadays was 1.633.
          rtyler R. Tyler Croy made changes -
          Workflow JNJira [ 155354 ] JNJira + In-Review [ 207710 ]

          People

            oli_at_jsi Olivier Dagenais
            mompox Roberto Powell
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: