ant-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Matèrne (jhm) <apa...@materne.de>
Subject AW: Secure input handler
Date Fri, 30 Aug 2013 11:09:02 GMT
The problem is not in <input> or in the used InputHandler.
This log is produces on a completely other place.

The InputHandler reads silently your passwort.
The input task does not log the pwd, it just stores the value on the project
instance.
This storing is finally done by a PropertyHelper which then logs the setting
of a property - not knowing that this should be secret one.

Havent looked at the getDelegates(PropertySetter.class) ... so I can't say
if there is a possibility to "hide" the saving ...


Jan


    /**
     * Sets a property if no value currently exists. If the property
     * exists already, a message is logged and the method returns with
     * no other effect.
     *
     * @param name The name of property to set.
     *             Must not be <code>null</code>.
     * @param value The new value of the property.
     *              Must not be <code>null</code>.
     * @since Ant 1.8.0
     */
    public void setNewProperty(String name, Object value) {
        for (PropertySetter setter : getDelegates(PropertySetter.class)) {
            if (setter.setNew(name, value, this)) {
                return;
            }
        }
        synchronized (this) {
            if (project != null && properties.containsKey(name)) {
                project.log("Override ignored for property \"" + name
                            + "\"", Project.MSG_VERBOSE);
                return;
            }
            if (project != null) {
                project.log("Setting project property: " + name
                            + " -> " + value, Project.MSG_DEBUG);
            }
            if (name != null && value != null) {
                properties.put(name, value);
            }
        }
    }


> -----Urspr√ľngliche Nachricht-----
> Von: Tom Cleghorn [mailto:tcleghorn@cambridge.org]
> Gesendet: Freitag, 30. August 2013 12:44
> An: Ant Users List
> Betreff: Secure input handler
> 
> Hi,
> 
> When using the secure input handler - e.g.:
> 
> <input message="enter pass" addproperty="pwd" defaultvalue="NULL">
>    <handler type="secure"/>
> </input>
> 
> ...the build hides the keyboard input as expected. However, if I run
> ant with -d, the next line of console output is "Setting project
> property: pwd
> -> pass"!
> 
> This seems less than ideal - is it by design, and are there any steps I
> can take to prevent it? I'd prefer not to write an input handler of my
> own
> if I can possibly avoid it, but is that going to be the only option?
> 
> Thanks!
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@ant.apache.org
> For additional commands, e-mail: user-help@ant.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@ant.apache.org
For additional commands, e-mail: user-help@ant.apache.org


Mime
View raw message