You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@karaf.apache.org by "Eduardo Aguinaga (JIRA)" <ji...@apache.org> on 2015/12/15 16:03:46 UTC
[jira] [Created] (KARAF-4199) Privacy Violation: Heap Inspection
Eduardo Aguinaga created KARAF-4199:
---------------------------------------
Summary: Privacy Violation: Heap Inspection
Key: KARAF-4199
URL: https://issues.apache.org/jira/browse/KARAF-4199
Project: Karaf
Issue Type: Bug
Affects Versions: 4.0.3
Reporter: Eduardo Aguinaga
HP Fortify and SciTools Understand were used to perform an application security scan on the karaf source code.
The method interactive() in Main.java stores sensitive data in a String object on line 127, making it impossible to reliably purge the data from memory.
Main.java, lines 120-137:
120 public String[] interactive(String destination, String name, String instruction, String[] prompt, boolean[] echo) {
121 String[] answers = new String[prompt.length];
122 try {
123 for (int i = 0; i < prompt.length; i++) {
124 if (echo[i]) {
125 answers[i] = console.readLine(prompt[i] + " ");
126 } else {
127 answers[i] = new String(console.readPassword(prompt[i] + " "));
128 }
129 if (answers[i] == null) {
130 return null;
131 }
132 }
133 return answers;
134 } catch (IOError e) {
135 return null;
136 }
137 }
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)