[JIRA] (JENKINS-12747) Perforce Passwords are exposed by the EnvInject plugin

[mike.wint...@dataflux.com (JIRA)]

    [ 
https://issues.jenkins-ci.org/browse/JENKINS-12747?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=158971#comment-158971
 ] 

Mike Winters commented on JENKINS-12747:
----------------------------------------

Yes- that option is unchecked, but it does not affect the password displayed by 
the EnvInject plugin.
                
> Perforce Passwords are exposed by the EnvInject plugin
> ------------------------------------------------------
>
>                 Key: JENKINS-12747
>                 URL: https://issues.jenkins-ci.org/browse/JENKINS-12747
>             Project: Jenkins
>          Issue Type: Bug
>          Components: envinject, perforce
>         Environment: Windows 7 Enterprise SP1 (x64)
> Jenkins 1.450
> EnvInject 1.20
> Perforce 1.3.7
> Mask Passwords 2.7.2
>            Reporter: Mike Winters
>            Assignee: gbois
>
> Originally reported as part of JENKINS-12423, I am reopening this as a 
> separate defect at the author's request. My original defect report from that 
> issue is as follows:
> With Jenkins 1.450, Perforce plugin 1.3.7, EnvInject 1.17, and Mask Passwords 
> 2.7.2, the Perforce passwords are being displayed in plain text on the 
> "Injected Environment Variables" page. I have tried setting the passwords to 
> be masked in the global Jenkins config as well as in the individual jobs, but 
> nothing I have tried is masking the passwords.
> In the case of the Perforce passwords, the issue was happening before I 
> installed the Mask Passwords plugin (I only installed that in an attempt to 
> hide the passwords). It seems that perhaps the Perforce plugin (and plugins 
> for other source control systems?) are exposing the passwords in a way that 
> the EnvInject plugin doesn't know to look for. I'm not sure where the best 
> place to fix this is, or what the optimal fix should be, as I am not familiar 
> with the Jenkins codebase or the code for any of the relevant plugins. 
> However, the quicker a solution can be implemented, the happier I will be :). 
> Thanks!
> After updating to EnvInject 1.20, the Perforce password is still being 
> exposed (P4PASSWD variable) on the "Injected Environment Variables" page 
> available on the left menu on each build. I suspect that this may require 
> changes to both the EnvInject plugin and the Perforce plugin.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.jenkins-ci.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira