You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@maven.apache.org by "Christian K. (JIRA)" <ji...@apache.org> on 2016/04/05 13:43:25 UTC

[jira] [Comment Edited] (MJAVADOC-447) Command line dump reveals proxy user/password in case of errors

    [ https://issues.apache.org/jira/browse/MJAVADOC-447?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15226106#comment-15226106 ] 

Christian K. edited comment on MJAVADOC-447 at 4/5/16 11:43 AM:
----------------------------------------------------------------

An additional issue is that the password is also generated into the javadoc.bat which is being used to invoke the javadoc tool.

In case of an error this file will not be deleted and remains in Maven output folders. Based on this there is a risk that the password is leaked via the javadoc.bat file.

Ideally it would be helpful to have an option to disable the proxy settings to avoid the password issues alltogether since in some use cases internet access isn't necessary.


was (Author: christian.k.2510):
An additional issue is that the password is also generated into the javadoc.bat which is being used to invoke the javadoc tool.

In case of an error this file will not be deleted and remains in Maven output folders. Based on this there is a risk that the password is leaked via the javadoc.bat file.

> Command line dump reveals proxy user/password in case of errors
> ---------------------------------------------------------------
>
>                 Key: MJAVADOC-447
>                 URL: https://issues.apache.org/jira/browse/MJAVADOC-447
>             Project: Maven Javadoc Plugin
>          Issue Type: Improvement
>         Environment: Maven version: 2.0.7 Java version: 1.4.2 OS name: "windows xp" version: "5.1" arch: "x86"
>            Reporter: Christian K.
>            Assignee: Siveton Vincent
>            Priority: Minor
>
> If http proxy is set, in case of error calling javadoc, the whole command line call is dumped out on console.
> This can reveal sensible information about personal proxy settings (user and password) which are passed
> via -J-Dhttp.proxyUser= and -J-Dhttp.proxyPassword= arguments to the javadoc executable.
> For example:
> Command line was:"C:\Program Files\IBM\WebSphere\AppServer\java\jre\..\bin\javadoc.exe" -J-DproxyHost=urlofmyproxy -J-DproxyPort=8080 -J-Dhttp.proxySet=true -J-Dhttp.proxyHost=urlofmyproxy -J-Dhttp.proxyPort=8080 -J-Dhttp.nonProxyHosts="myinternalrepo" -J-Dhttp.proxyUser="FOO" -J-Dhttp.proxyPassword="BAR" @options @packages
> If this can be an issue, consider hiding these values in the dump.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)