You are viewing a plain text version of this content. The canonical link for it is here.
Posted to ivy-commits@incubator.apache.org by "Gilles Scokart (JIRA)" <ji...@apache.org> on 2007/04/27 12:44:15 UTC
[jira] Updated: (IVY-486) Credentials are shown in build log even
if debug is not enabled
[ https://issues.apache.org/jira/browse/IVY-486?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Gilles Scokart updated IVY-486:
-------------------------------
Attachment: IVY-486.patch
I have checked in the latest version of the trunk, and it seems that the messages are intitialized before the credentials are set. So taking the 2.0-alpha-1 might be also a good workaround.
Anyway, here is a patch that avoid to log the password, even in debug mode. This can indeed be a security hole in some case (the hacker manage to change to log level used by an ant script that he is not suposed to be able to read).
> Credentials are shown in build log even if debug is not enabled
> ---------------------------------------------------------------
>
> Key: IVY-486
> URL: https://issues.apache.org/jira/browse/IVY-486
> Project: Ivy
> Issue Type: Bug
> Components: Ant
> Affects Versions: 1.4.1
> Reporter: Pavel Sher
> Attachments: IVY-486.patch
>
>
> I have the following construction in my Ant build.xml:
> <ivy-configure file="${basedir}/ivyconf.xml">
> <credentials host="host" realm="realm" username="user" passwd="pass" />
> </ivy-configure>
> When Ant starts this build.xml I see in the output:
> credentials added realm@host user/pass
> This output is produced by CredentialsStore class even if debug level is not enabled. As I can see the problem is that Messages.init is called after the adding of credentials and this message goes right to the system error and then it is printed by Ant itself. The problem is critical for me because I want to use this build.xml in the continuous integration server and I do not want my credentials to be shown in the build log. Is there a workaround for this?
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.