You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@maven.apache.org by "Christian K. (JIRA)" <ji...@apache.org> on 2016/04/05 13:38:25 UTC

[jira] [Created] (MJAVADOC-447) Command line dump reveals proxy user/password in case of errors

Christian K. created MJAVADOC-447:
-------------------------------------

             Summary: Command line dump reveals proxy user/password in case of errors
                 Key: MJAVADOC-447
                 URL: https://issues.apache.org/jira/browse/MJAVADOC-447
             Project: Maven Javadoc Plugin
          Issue Type: Improvement
         Environment: Maven version: 2.0.7 Java version: 1.4.2 OS name: "windows xp" version: "5.1" arch: "x86"
            Reporter: Christian K.
            Assignee: Siveton Vincent
            Priority: Minor
             Fix For: 2.4


If http proxy is set, in case of error calling javadoc, the whole command line call is dumped out on console.
This can reveal sensible information about personal proxy settings (user and password) which are passed
via -J-Dhttp.proxyUser= and -J-Dhttp.proxyPassword= arguments to the javadoc executable.

For example:
Command line was:"C:\Program Files\IBM\WebSphere\AppServer\java\jre\..\bin\javadoc.exe" -J-DproxyHost=urlofmyproxy -J-DproxyPort=8080 -J-Dhttp.proxySet=true -J-Dhttp.proxyHost=urlofmyproxy -J-Dhttp.proxyPort=8080 -J-Dhttp.nonProxyHosts="myinternalrepo" -J-Dhttp.proxyUser="FOO" -J-Dhttp.proxyPassword="BAR" @options @packages

If this can be an issue, consider hiding these values in the dump.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)