Summary: | [Security] A user with only Job Read and Build privileges can see the default password stored against a password parameter | ||
---|---|---|---|
Product: | [Technology] Hudson | Reporter: | Geoff Waymark <mygwaymark> |
Component: | Core | Assignee: | Winston Prakash <winston.prakash> |
Status: | RESOLVED WONTFIX | QA Contact: | Geoff Waymark <mygwaymark> |
Severity: | major | ||
Priority: | P3 | CC: | bobfoster, lamujuri, mygwaymark, rovarghe |
Version: | 3.2.1 | Keywords: | security |
Target Milestone: | --- | ||
Hardware: | PC | ||
OS: | Windows 7 | ||
Whiteboard: | candidate-3.4.0 |
Description
Geoff Waymark
2014-12-01 11:55:57 EST
Retested with these steps and I can still see the supposedly hidden value in the dom tree for the hidden element <input name="value" type="password" class="setting-input " value="DONOTSHOW"> There are two places. - Parameter defining in job Configuration. I substitute dummy password (*****) if user has no configure permission, because user can only view the configuration not submit. Seems to be fixed. - Parameter value setting while start building a job (Here I can not substitute dummy password, other wise dummy password will be submitted to run the job, so password has to be actual password) Let me see if I can send encrypted password while start building job. Other option is not to allowing default password. The Eclipse Hudson project has been terminated and archived. |