[
https://issues.apache.org/jira/browse/IVY-486?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Gilles Scokart updated IVY-486:
-------------------------------
Attachment: IVY-486.patch
I have checked in the latest version of the trunk, and it seems that the
messages are intitialized before the credentials are set. So taking the
2.0-alpha-1 might be also a good workaround.
Anyway, here is a patch that avoid to log the password, even in debug mode.
This can indeed be a security hole in some case (the hacker manage to change to
log level used by an ant script that he is not suposed to be able to read).
> Credentials are shown in build log even if debug is not enabled
> ---------------------------------------------------------------
>
> Key: IVY-486
> URL: https://issues.apache.org/jira/browse/IVY-486
> Project: Ivy
> Issue Type: Bug
> Components: Ant
> Affects Versions: 1.4.1
> Reporter: Pavel Sher
> Attachments: IVY-486.patch
>
>
> I have the following construction in my Ant build.xml:
> <ivy-configure file="${basedir}/ivyconf.xml">
> <credentials host="host" realm="realm" username="user" passwd="pass" />
> </ivy-configure>
> When Ant starts this build.xml I see in the output:
> credentials added [EMAIL PROTECTED] user/pass
> This output is produced by CredentialsStore class even if debug level is not
> enabled. As I can see the problem is that Messages.init is called after the
> adding of credentials and this message goes right to the system error and
> then it is printed by Ant itself. The problem is critical for me because I
> want to use this build.xml in the continuous integration server and I do not
> want my credentials to be shown in the build log. Is there a workaround for
> this?
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
