[JIRA] (JENKINS-12747) Perforce Passwords are exposed by the EnvInject plugin

Mon, 13 Feb 2012 14:02:35 -0800 

    [ 
https://issues.jenkins-ci.org/browse/JENKINS-12747?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=158977#comment-158977
 ] 

Rob Petti commented on JENKINS-12747:
-------------------------------------

I'm unable to reproduce this... If I uncheck the "Expose P4PASSWD in 
environment" option, it does not show up in the "Injected Environment 
variables" screen on subsequent builds. This is using envinject 1.20, perforce 
plugin 1.3.7, and jenkins 1.450.
                
> Perforce Passwords are exposed by the EnvInject plugin
> ------------------------------------------------------
>
>                 Key: JENKINS-12747
>                 URL: https://issues.jenkins-ci.org/browse/JENKINS-12747
>             Project: Jenkins
>          Issue Type: Bug
>          Components: envinject, perforce
>         Environment: Windows 7 Enterprise SP1 (x64)
> Jenkins 1.450
> EnvInject 1.20
> Perforce 1.3.7
> Mask Passwords 2.7.2
>            Reporter: Mike Winters
>            Assignee: gbois
>
> Originally reported as part of JENKINS-12423, I am reopening this as a 
> separate defect at the author's request. My original defect report from that 
> issue is as follows:
> With Jenkins 1.450, Perforce plugin 1.3.7, EnvInject 1.17, and Mask Passwords 
> 2.7.2, the Perforce passwords are being displayed in plain text on the 
> "Injected Environment Variables" page. I have tried setting the passwords to 
> be masked in the global Jenkins config as well as in the individual jobs, but 
> nothing I have tried is masking the passwords.
> In the case of the Perforce passwords, the issue was happening before I 
> installed the Mask Passwords plugin (I only installed that in an attempt to 
> hide the passwords). It seems that perhaps the Perforce plugin (and plugins 
> for other source control systems?) are exposing the passwords in a way that 
> the EnvInject plugin doesn't know to look for. I'm not sure where the best 
> place to fix this is, or what the optimal fix should be, as I am not familiar 
> with the Jenkins codebase or the code for any of the relevant plugins. 
> However, the quicker a solution can be implemented, the happier I will be :). 
> Thanks!
> After updating to EnvInject 1.20, the Perforce password is still being 
> exposed (P4PASSWD variable) on the "Injected Environment Variables" page 
> available on the left menu on each build. I suspect that this may require 
> changes to both the EnvInject plugin and the Perforce plugin.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.jenkins-ci.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to