You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Michael Osipov (JIRA)" <ji...@apache.org> on 2019/02/17 11:05:00 UTC
[jira] [Commented] (MJAVADOC-447) Command line dump reveals proxy
user/password in case of errors
[ https://issues.apache.org/jira/browse/MJAVADOC-447?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16770360#comment-16770360 ]
Michael Osipov commented on MJAVADOC-447:
-----------------------------------------
I will take care of this. It will be implicitly fixed by MJAVADOC-565.
> Command line dump reveals proxy user/password in case of errors
> ---------------------------------------------------------------
>
> Key: MJAVADOC-447
> URL: https://issues.apache.org/jira/browse/MJAVADOC-447
> Project: Maven Javadoc Plugin
> Issue Type: Improvement
> Environment: Maven version: 2.0.7 Java version: 1.4.2 OS name: "windows xp" version: "5.1" arch: "x86"
> Reporter: Christian K.
> Assignee: Michael Osipov
> Priority: Minor
>
> If http proxy is set, in case of error calling javadoc, the whole command line call is dumped out on console.
> This can reveal sensible information about personal proxy settings (user and password) which are passed
> via -J-Dhttp.proxyUser= and -J-Dhttp.proxyPassword= arguments to the javadoc executable.
> For example:
> Command line was:"C:\Program Files\IBM\WebSphere\AppServer\java\jre\..\bin\javadoc.exe" -J-DproxyHost=urlofmyproxy -J-DproxyPort=8080 -J-Dhttp.proxySet=true -J-Dhttp.proxyHost=urlofmyproxy -J-Dhttp.proxyPort=8080 -J-Dhttp.nonProxyHosts="myinternalrepo" -J-Dhttp.proxyUser="FOO" -J-Dhttp.proxyPassword="BAR" @options @packages
> If this can be an issue, consider hiding these values in the dump.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)