On Thu, Aug 8, 2024 at 3:15 PM Kirk Fitzsimons <fitzsimonsk...@gmail.com> wrote:
> When i inspect the html this is what I see, maybe I misunderstood, but I > thought if the password was transmitted in plain text I would see the > actual password e.g 'kirkpassword', not an encrypted password. > If i have misunderstood and the update the the getters and settings is > still needed, what should i expect to see in the html? > Testing plugin version1.3.1, the latest at the time of the advisory, on Jenkins 2.204.3, recent at the time, the password is sent in plain text when loading the global config form. The same should apply to hpi:run at its 2020 state. Since 2.236, Jenkins always round-trips f:password values in their encrypted form, so the behavior from the 2020 security advisory no longer applies to more recent Jenkins releases. I forgot I added that, sorry for the misleading first response. Switching the types around will still prevent constant re-encryption of a plaintext value, which changes the actual value stored on disk (and probably makes e.g. jobConfigHistory worse). Looking at the UI, I would like the token to be stored and transmitted as a Secret and masked on the UI, before removing this warning, That's essentially the same issue, and I cannot reconstruct why we didn't pick up on it at the time. -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtKt%2BaedzUjbFyN%3DwbykX1fPmk%2BOEF-YOB7muAKCkfJQXQ%40mail.gmail.com.
