[JIRA] [envinject] (JENKINS-22629) Prevent autofill of password entry fields

[Juergen.Hermann@1und1.de (JIRA)]

Jürgen Hermann created JENKINS-22629 Prevent autofill of password entry fields Issue Type: Bug Affects Versions: current Assignee: Gregory Boissinot Components: envinject Created: 15/Apr/14 3:26 PM Description: The "envInjectPasswordEntry.password" input field in the job config, and also the related field in the global config, should get an autocomplete="off" attribute – else there's the real danger of leaking the Jenkins login password by browser auto-fill. Environment: Jenkins 1.556 envinject 1.89 Project: Jenkins Priority: Major Reporter: Jürgen Hermann

This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira

[daniel@beckweb.net (JIRA)]

Daniel Beck commented on JENKINS-22629

Prevent autofill of password entry fields

Please explain how this can be reproduced. In "Inject passwords to the build as environment variables", specifying a password foobar and saving, accessing the page afterwards results in 4l1OLblQ8negGA2Ldqe6HCiHhu+VGHtVSEQdPSSDna8= being entered in the password field (it's obviously much longer, and inspect element shows the value). Even when enabling password storage in my browser after saving the config page the first time (Firefox 28). Jenkins 1.532.2, env-inject 1.89.

[Juergen.Hermann@1und1.de (JIRA)]

Jürgen Hermann commented on JENKINS-22629

Prevent autofill of password entry fields

We found this with the maven-metadata-plugin, where it's certainly more problematic than with EnvInject. If you save empty password fields (which with maven-metadata-plugin is "normal"), then e.g. Chrome will augment the POST with a saved Jenkins account password (and the user will not necessarily notice this). But since the cure is easy and unintrusive, is it really important how often accidents might happen? I doubt you'll ever want autofill in these fields.

[arnt.work@gmail.com (JIRA)]

Arnt Witteveen commented on JENKINS-22629

Prevent autofill of password entry fields

This is especially important in view of JENKINS-22338 where safari remembers the jenkins login and password and then proceed to fill that in in the perforce SCM section of projects! (We use a separate user for building in perforce, so this breaks the project on every edit of a project by a user using safari, unless they are aware and turn the feature to remember passwords off!)

[arnt.work@gmail.com (JIRA)]

Arnt Witteveen edited a comment on JENKINS-22629

Prevent autofill of password entry fields

This is especially important in view of JENKINS-22338 where safari remembers the jenkins login and password and then proceed to fill that in in (e.g., for us) the perforce SCM section of projects! (We use a separate user for building in perforce, so this breaks the project on every edit of a project by a user using safari, unless they are aware and turn the feature to remember passwords off!)