[JIRA] (JENKINS-12747) Perforce Passwords are exposed by the EnvInject plugin

Mon, 13 Feb 2012 08:00:35 -0800 

Mike Winters created JENKINS-12747:
--------------------------------------

             Summary: Perforce Passwords are exposed by the EnvInject plugin
                 Key: JENKINS-12747
                 URL: https://issues.jenkins-ci.org/browse/JENKINS-12747
             Project: Jenkins
          Issue Type: Bug
          Components: envinject, perforce
         Environment: Windows 7 Enterprise SP1 (x64)
Jenkins 1.450
EnvInject 1.20
Perforce 1.3.7
Mask Passwords 2.7.2
            Reporter: Mike Winters
            Assignee: gbois


Originally reported as part of JENKINS-12423, I am reopening this as a separate 
defect at the author's request. My original defect report from that issue is as 
follows:

With Jenkins 1.450, Perforce plugin 1.3.7, EnvInject 1.17, and Mask Passwords 
2.7.2, the Perforce passwords are being displayed in plain text on the 
"Injected Environment Variables" page. I have tried setting the passwords to be 
masked in the global Jenkins config as well as in the individual jobs, but 
nothing I have tried is masking the passwords.

In the case of the Perforce passwords, the issue was happening before I 
installed the Mask Passwords plugin (I only installed that in an attempt to 
hide the passwords). It seems that perhaps the Perforce plugin (and plugins for 
other source control systems?) are exposing the passwords in a way that the 
EnvInject plugin doesn't know to look for. I'm not sure where the best place to 
fix this is, or what the optimal fix should be, as I am not familiar with the 
Jenkins codebase or the code for any of the relevant plugins. However, the 
quicker a solution can be implemented, the happier I will be :). Thanks!


After updating to EnvInject 1.20, the Perforce password is still being exposed 
(P4PASSWD variable) on the "Injected Environment Variables" page available on 
the left menu on each build. I suspect that this may require changes to both 
the EnvInject plugin and the Perforce plugin.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.jenkins-ci.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to