maven-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Thomas Wabner (JIRA)" <>
Subject [jira] (SCM-764) username and credentials shown as INFO on commadline
Date Mon, 04 Aug 2014 15:33:10 GMT


Thomas Wabner commented on SCM-764:

After some more investigation, I guess the problem ist in plexus-utils-3.0.15 in org.codehaus.plexus.util.cli.Commandline
line 513 or (the cause) 534

The toString() method is triggered by org.apache.maven.scm.provider.git.gitexe.command.GitCommandLineUtils
line 111.

There should be a change in this line to not use toString() ... here a "filtered" command
line output should be used.

> username and credentials shown as INFO on commadline
> ----------------------------------------------------
>                 Key: SCM-764
>                 URL:
>             Project: Maven SCM
>          Issue Type: Bug
>          Components: maven-scm-provider-git
>         Environment: Apache Maven 3.2.1 (ea8b2b07643dbb1b84b6d16e1f08391b666bc1e9; 2014-02-14T18:37:52+01:00)
> Maven home: D:\Dev\maven\apache-maven-3.2.1
> Java version: 1.7.0_51, vendor: Oracle Corporation
> Java home: D:\Dev\Java\jdk7_51_x64\jre
> Default locale: de_DE, platform encoding: Cp1252
> OS name: "windows 7", version: "6.1", arch: "amd64", family: "windows"
>            Reporter: Thomas Wabner
> Using git repository with gitblit on HTTPS.
> Every git command which involve the remote repository (like fetch, pull, push and so
on) showing the username and credentials on the commandline like this:
> [INFO] Executing: cmd.exe /X /C "git push https://user:secret@devserver/gitblit//r/waffel/devopts.git
> It should be avoided to ever print out passwords on the command line. I have encrypted
the password in maven settings.xml ... but now it comes back and anybody can see them (also
on a continues build server which should push with a dedicated user to a central repo).

This message was sent by Atlassian JIRA

View raw message