Empty password results in successful upload

[rodm]

While trying out the publishPlugin task provided by @satamas for the Gradle TeamCity plugin I discovered that providing an empty password will result in a build completing successfully. The plugin doesn't appear in the repository so I assume is being rejected by the backend service but that is not how it is reported to the user.

Providing an invalid password that's not empty will throw an exception and report that plugin wasn't uploaded. However this takes the same amount of time as a successful upload with valid credentials, it appears the plugin is being uploaded before checking the credentials.

[satamas]

Thing is that one endpoint is used for uploading plugins via browser an via console/program/e.t.c. When you're trying to upload plugin w/o password our server thinks that you're from browser and responds with redirect "back" to plugin upload page with detailed error message. For Java code redirect means successful response, so no exception is thrown in this case. This is a bug, but not a security issue.

[satamas]

About plugin uploading with invalid password. I'll check it again, but from quick look on code nothing happens with request file before permissions check.

[zolotov]

password authentication is obsolete, I believe the issue is obsolete as well