ant-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Bodewig <bode...@apache.org>
Subject Re: Secure input handler
Date Fri, 30 Aug 2013 11:05:41 GMT
On 2013-08-30, Tom Cleghorn wrote:

> When using the secure input handler - e.g.:

> <input message="enter pass" addproperty="pwd" defaultvalue="NULL">
>    <handler type="secure"/>
> </input>

> ...the build hides the keyboard input as expected. However, if I run ant
> with -d, the next line of console output is "Setting project property: pwd
> -> pass"!

> This seems less than ideal - is it by design, and are there any steps I
> can take to prevent it? I'd prefer not to write an input handler of my own
> if I can possibly avoid it, but is that going to be the only option?

If if you'd write an input handler of your own, it wouldn't help.  The
debug output is produced when the property is set.  If you set a
property - which is what input does - then its value will not only get
logged at the debug level but also is available to all other tasks
running inside the same Ant project (this could be meliorated by using
local properties, but still).

So using properties at all is not a good idea for something that is
critical enough that you wouldn't want to leak it into debug output.

Most of the time the person that provides the input is the same person
that starts Ant and has control over the log output, the risk may be
acceptable in many cases.

Stefan

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@ant.apache.org
For additional commands, e-mail: user-help@ant.apache.org


Mime
View raw message