|
#1
|
|||
|
|||
Perforce Passwords displayed as clear text
When showing the "commandline constructed for call" of perforce action steps...
it would be a good idea to mask out the password with asterisks, as otherwise the log files and/or screen output can easily reveal the sensitive perforce password information! eg the output shows: p4 -cGRIBBLE_WAGON_MAIN -pperforce:1666 -uryan.gribble -Ppassword change -i I am using temporary macros to store the password, and i accept that whilst the script is running, someone could look in the macros list and see the password... but once ive shut down VBPro someone could still look in the logfile. (yes i know the logfile could be deleted, but we want to keep them on hand, and infact email it to a list of people, who shouldnt all have access to the masterbuild password for perforce!). |
#2
|
|||
|
|||
A couple of options:
1) Don't write the P4 command-line to the log (uncheck the 'show command-line' option). 2) Store the password in the P4PASSWD environment variable at the start of the build, and remove the password from the Perforce steps (sample attached). |
#3
|
|||
|
|||
Thanks for the response...
Yes i realise i could avoid it by not showing the command in the logs, but we are finding it useful to log the exact command created incase we do have an error we know what command was ruyn. Now the build script is polished and working fine though, perhaps i dont need to output it anymore. As foir setting the environment variable P4PASSWD... i cant see how this is very secure either, as opening the .bld file in notepad will reveal it's value: <step action='Set Macro' type='0'> <MacroEnvVar type='11'>-1</MacroEnvVar> <MacroName>P4PASSWD</MacroName> <MacroValue>pass</MacroValue> <description>Store the Perforce password in the P4PASSWD macro/environment variable</description> <name>create env var</name> </step> What i am doing is using a custom user action ive written in c#.NET to get the required perforce settings (as well as other build options) and then store them as temporary macros. The advantage of this is that the tempoirary macro isnt stored in the .bld file, so once the script is run and VBPro closes, the perforce password and other details are no longer visible anywhere. I suppose i was just saying maybe in a future version, if the option "output command" is ticked, the password (if provided) could be masked out for security |
#4
|
|||
|
|||
You can still retrieve the password into a temporary variable using your C# component, just replace 'pass' in the sample with %NAME_OF_TEMP_MACRO_HOLDING_PASSWORD%. As for obscuring the password when logging, that's not so simple since the logging component(s) don't have any intrinsic knowledge of where passwords might exist in the text they are logging.
|
|
|