[JIRA] [gerrit-trigger] (JENKINS-23165) Config.gerritAuthKeyFilePassword stored in plaintext

jgl...@cloudbees.com (JIRA) Fri, 23 May 2014 04:23:24 -0700

Jesse Glick created

Config.gerritAuthKeyFilePassword stored in plaintext

Issue Type:	Bug
Assignee:	rsandell
Components:	gerrit-trigger
Created:	23/May/14 11:22 AM
Description:	Secrets should never be stored in plaintext, and once stored, should never be sent back to the browser in plaintext. Declare the field and the bean property to be of type `hudson.util.Secret`, so it is protected by the master key. Form data binding with `<f:password>` and `@DataBoundConstructor` automatically deals with this; since you seem to be managing this form manually, just use `fromString` to convert an initially entered password, and for round-trips use `getEncryptedValue` and again `fromString`. XStream serialization will properly automatically. PR upon request.
Project:	Jenkins
Labels:	security
Priority:	Critical
Reporter:	Jesse Glick

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators.
For more information on JIRA, see: http://www.atlassian.com/software/jira

--
You received this message because you are subscribed to the Google Groups "Jenkins Issues" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[JIRA] [gerrit-trigger] (JENKINS-23165) Config.gerritAuthKeyFilePassword stored in plaintext

Reply via email to