Jetty version(s)
Jetty 12
Enhancement Description
Contents of ini files in start.d turn into process parameters. It's non-obvious that settings, possibly protected by file permissions, become part of the publicly viewable process arguments. This isn't great for anything that contains a password, like start.d/ssl.ini.
It looks like it happens here:
|
JETTY_DRY_RUN=$(echo "${JETTY_ARGS[*]} ${JAVA_OPTIONS[*]}" | xargs "$JAVA" -jar "$JETTY_START" --dry-run=opts,path,main,args,envs) |
The best solution would be for the file contents to remain hidden. At the least, ssl.ini and similar should locally document that all values become public.
Jetty version(s)
Jetty 12
Enhancement Description
Contents of ini files in start.d turn into process parameters. It's non-obvious that settings, possibly protected by file permissions, become part of the publicly viewable process arguments. This isn't great for anything that contains a password, like start.d/ssl.ini.
It looks like it happens here:
jetty.project/jetty-home/src/main/resources/bin/jetty.sh
Line 571 in dde6ae1
The best solution would be for the file contents to remain hidden. At the least, ssl.ini and similar should locally document that all values become public.