You are viewing a plain text version of this content. The canonical link for it is here.
Posted to ivy-commits@incubator.apache.org by "Pavel Sher (JIRA)" <ji...@apache.org> on 2007/04/27 10:59:15 UTC
[jira] Created: (IVY-486) Credentials are shown in build log even
if debug is not enabled
Credentials are shown in build log even if debug is not enabled
---------------------------------------------------------------
Key: IVY-486
URL: https://issues.apache.org/jira/browse/IVY-486
Project: Ivy
Issue Type: Bug
Components: Ant
Affects Versions: 1.4.1
Reporter: Pavel Sher
I have the following construction in my Ant build.xml:
<ivy-configure file="${basedir}/ivyconf.xml">
<credentials host="host" realm="realm" username="user" passwd="pass" />
</ivy-configure>
When Ant starts this build.xml I see in the output:
credentials added realm@host user/pass
This output is produced by CredentialsStore class even if debug level is not enabled. As I can see the problem is that Messages.init is called after the adding of credentials and this message goes right to the system error and then it is printed by Ant itself. The problem is critical for me because I want to use this build.xml in the continuous integration server and I do not want my credentials to be shown in the build log. Is there a workaround for this?
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (IVY-486) Credentials are shown in build log even
if debug is not enabled
Posted by "Xavier Hanin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/IVY-486?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12492270 ]
Xavier Hanin commented on IVY-486:
----------------------------------
I think the workaround is to use the inline credentials settings:
{code:xml}
<ivy-configure file="${basedir}/ivyconf.xml" host="host" realm="realm" username="user" passwd="pass" />
{code}
Indeed these credentials are added only after Messages is initialized, and thus should not be displayed if you aren't in debug mode.
Another solution is to patch Ivy to fix this problem (calling ensureMessageInitialised() in IvyConfigure.addConfiguredCredentials() should do the trick) and contribute the patch as a fix once you've tested it works for you.
> Credentials are shown in build log even if debug is not enabled
> ---------------------------------------------------------------
>
> Key: IVY-486
> URL: https://issues.apache.org/jira/browse/IVY-486
> Project: Ivy
> Issue Type: Bug
> Components: Ant
> Affects Versions: 1.4.1
> Reporter: Pavel Sher
>
> I have the following construction in my Ant build.xml:
> <ivy-configure file="${basedir}/ivyconf.xml">
> <credentials host="host" realm="realm" username="user" passwd="pass" />
> </ivy-configure>
> When Ant starts this build.xml I see in the output:
> credentials added realm@host user/pass
> This output is produced by CredentialsStore class even if debug level is not enabled. As I can see the problem is that Messages.init is called after the adding of credentials and this message goes right to the system error and then it is printed by Ant itself. The problem is critical for me because I want to use this build.xml in the continuous integration server and I do not want my credentials to be shown in the build log. Is there a workaround for this?
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (IVY-486) Credentials are shown in build log even
if debug is not enabled
Posted by "Gilles Scokart (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/IVY-486?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12492640 ]
Gilles Scokart commented on IVY-486:
------------------------------------
It is nice also. The help that you give to an hacker is very limited, and you still provides a little help for the guys that are debuging their build script.
> Credentials are shown in build log even if debug is not enabled
> ---------------------------------------------------------------
>
> Key: IVY-486
> URL: https://issues.apache.org/jira/browse/IVY-486
> Project: Ivy
> Issue Type: Bug
> Components: Ant
> Affects Versions: 1.4.1
> Reporter: Pavel Sher
> Attachments: IVY-486.patch
>
>
> I have the following construction in my Ant build.xml:
> <ivy-configure file="${basedir}/ivyconf.xml">
> <credentials host="host" realm="realm" username="user" passwd="pass" />
> </ivy-configure>
> When Ant starts this build.xml I see in the output:
> credentials added realm@host user/pass
> This output is produced by CredentialsStore class even if debug level is not enabled. As I can see the problem is that Messages.init is called after the adding of credentials and this message goes right to the system error and then it is printed by Ant itself. The problem is critical for me because I want to use this build.xml in the continuous integration server and I do not want my credentials to be shown in the build log. Is there a workaround for this?
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (IVY-486) Credentials are shown in build log even
if debug is not enabled
Posted by "Gilles Scokart (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/IVY-486?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12492272 ]
Gilles Scokart commented on IVY-486:
------------------------------------
If you only need credentials to get the configuration file (now called settings file in 2.0). The workaround migth be to not use a remote configurations file. You can maybe first download the file from your ant script, then use it locally.
But if your credentials are also suposed to be used to acces repositories... then there is indeed a big security issue !
> Credentials are shown in build log even if debug is not enabled
> ---------------------------------------------------------------
>
> Key: IVY-486
> URL: https://issues.apache.org/jira/browse/IVY-486
> Project: Ivy
> Issue Type: Bug
> Components: Ant
> Affects Versions: 1.4.1
> Reporter: Pavel Sher
>
> I have the following construction in my Ant build.xml:
> <ivy-configure file="${basedir}/ivyconf.xml">
> <credentials host="host" realm="realm" username="user" passwd="pass" />
> </ivy-configure>
> When Ant starts this build.xml I see in the output:
> credentials added realm@host user/pass
> This output is produced by CredentialsStore class even if debug level is not enabled. As I can see the problem is that Messages.init is called after the adding of credentials and this message goes right to the system error and then it is printed by Ant itself. The problem is critical for me because I want to use this build.xml in the continuous integration server and I do not want my credentials to be shown in the build log. Is there a workaround for this?
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (IVY-486) Credentials are shown in build log even
if debug is not enabled
Posted by "Gilles Scokart (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/IVY-486?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Gilles Scokart updated IVY-486:
-------------------------------
Attachment: IVY-486.patch
I have checked in the latest version of the trunk, and it seems that the messages are intitialized before the credentials are set. So taking the 2.0-alpha-1 might be also a good workaround.
Anyway, here is a patch that avoid to log the password, even in debug mode. This can indeed be a security hole in some case (the hacker manage to change to log level used by an ant script that he is not suposed to be able to read).
> Credentials are shown in build log even if debug is not enabled
> ---------------------------------------------------------------
>
> Key: IVY-486
> URL: https://issues.apache.org/jira/browse/IVY-486
> Project: Ivy
> Issue Type: Bug
> Components: Ant
> Affects Versions: 1.4.1
> Reporter: Pavel Sher
> Attachments: IVY-486.patch
>
>
> I have the following construction in my Ant build.xml:
> <ivy-configure file="${basedir}/ivyconf.xml">
> <credentials host="host" realm="realm" username="user" passwd="pass" />
> </ivy-configure>
> When Ant starts this build.xml I see in the output:
> credentials added realm@host user/pass
> This output is produced by CredentialsStore class even if debug level is not enabled. As I can see the problem is that Messages.init is called after the adding of credentials and this message goes right to the system error and then it is printed by Ant itself. The problem is critical for me because I want to use this build.xml in the continuous integration server and I do not want my credentials to be shown in the build log. Is there a workaround for this?
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (IVY-486) Credentials are shown in build log even
if debug is not enabled
Posted by "Xavier Hanin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/IVY-486?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12492289 ]
Xavier Hanin commented on IVY-486:
----------------------------------
Indeed it's even more secure. But maybe we loose too much info. What do you think of this:
{code:java}
/**
* Return a string that can be used for debug purpose. It contains only stars for each password character.
*/
public String toString() {
return getKey() + " " + getUserName() + "/" + getPasswdAsStars();
}
private String getPasswdAsStars() {
if (_passwd == null) {
return null;
}
StringBuffer sb = new StringBuffer();
for (int i = _passwd.length(); i>0; i--) {
sb.append('*');
}
return sb.toString();
}
{code}
> Credentials are shown in build log even if debug is not enabled
> ---------------------------------------------------------------
>
> Key: IVY-486
> URL: https://issues.apache.org/jira/browse/IVY-486
> Project: Ivy
> Issue Type: Bug
> Components: Ant
> Affects Versions: 1.4.1
> Reporter: Pavel Sher
> Attachments: IVY-486.patch
>
>
> I have the following construction in my Ant build.xml:
> <ivy-configure file="${basedir}/ivyconf.xml">
> <credentials host="host" realm="realm" username="user" passwd="pass" />
> </ivy-configure>
> When Ant starts this build.xml I see in the output:
> credentials added realm@host user/pass
> This output is produced by CredentialsStore class even if debug level is not enabled. As I can see the problem is that Messages.init is called after the adding of credentials and this message goes right to the system error and then it is printed by Ant itself. The problem is critical for me because I want to use this build.xml in the continuous integration server and I do not want my credentials to be shown in the build log. Is there a workaround for this?
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Resolved: (IVY-486) Credentials are shown in build log even
if debug is not enabled
Posted by "Xavier Hanin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/IVY-486?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Xavier Hanin resolved IVY-486.
------------------------------
Resolution: Fixed
Fix Version/s: 2.0.0-alpha-2
Ok, so I've checked in the fix like that. Thanks for your contribution Gilles, and thanks for your bug report Pavel!
> Credentials are shown in build log even if debug is not enabled
> ---------------------------------------------------------------
>
> Key: IVY-486
> URL: https://issues.apache.org/jira/browse/IVY-486
> Project: Ivy
> Issue Type: Bug
> Components: Ant
> Affects Versions: 1.4.1
> Reporter: Pavel Sher
> Fix For: 2.0.0-alpha-2
>
> Attachments: IVY-486.patch
>
>
> I have the following construction in my Ant build.xml:
> <ivy-configure file="${basedir}/ivyconf.xml">
> <credentials host="host" realm="realm" username="user" passwd="pass" />
> </ivy-configure>
> When Ant starts this build.xml I see in the output:
> credentials added realm@host user/pass
> This output is produced by CredentialsStore class even if debug level is not enabled. As I can see the problem is that Messages.init is called after the adding of credentials and this message goes right to the system error and then it is printed by Ant itself. The problem is critical for me because I want to use this build.xml in the continuous integration server and I do not want my credentials to be shown in the build log. Is there a workaround for this?
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.