You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Tony Trinh (JIRA)" <ji...@codehaus.org> on 2012/12/02 06:18:13 UTC
[jira] (MGPG-41) Passphrase revealed when backspacing at prompt
Tony Trinh created MGPG-41:
------------------------------
Summary: Passphrase revealed when backspacing at prompt
Key: MGPG-41
URL: https://jira.codehaus.org/browse/MGPG-41
Project: Maven 2.x and 3.x GPG Plugin
Issue Type: Bug
Affects Versions: 1.4
Environment: Mac OS X Mountain Lion
Apache Maven 3.0.3 (r1075438; 2011-02-28 11:31:09-0600)
Maven home: /usr/share/maven
Java version: 1.6.0_37, vendor: Apple Inc.
Java home: /System/Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home
Default locale: en_US, platform encoding: MacRoman
OS name: "mac os x", version: "10.8.2", arch: "x86_64", family: "mac"
Reporter: Tony Trinh
At the "GPG Passphrase" prompt, if I hit the backspace key during the entry, the passphrase is printed in cleartext with one less character. For example:
{code}GPG Passphrase: ******************^R
mysecretpasswor*^R
mysecretpasswo*^R
mysecretpassw*^R
mysecretpass*^R
mysecretpas*^R
mysecretpa*^R
mysecretp*^R
mysecret*^R
mysecre*^R
mysecr*^R
mysec*^R
myse*^R
mys*^R
my*^R
m*^R
*^R
*{code}
This can be fixed by replacing the {{MaskingThread}} with Java 6's built-in password prompt (as the [code comment|http://grepcode.com/file/repository.jboss.org/maven2/org.apache.maven.plugins/maven-gpg-plugin/1.0-alpha-4/org/apache/maven/plugin/gpg/GpgSigner.java#217] had suggested to do):
{code:java}Console console = System.console();
if ( console != null )
{
pass = new String( console.readPassword( "GPG Passphrase: " ) );
}{code}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://jira.codehaus.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] (MGPG-41) Passphrase revealed when backspacing at prompt
Posted by "Olivier Lamy (JIRA)" <ji...@codehaus.org>.
[ https://jira.codehaus.org/browse/MGPG-41?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Olivier Lamy updated MGPG-41:
-----------------------------
Fix Version/s: 1.5
> Passphrase revealed when backspacing at prompt
> ----------------------------------------------
>
> Key: MGPG-41
> URL: https://jira.codehaus.org/browse/MGPG-41
> Project: Maven 2.x and 3.x GPG Plugin
> Issue Type: Bug
> Affects Versions: 1.4
> Environment: Mac OS X Mountain Lion
> Apache Maven 3.0.3 (r1075438; 2011-02-28 11:31:09-0600)
> Maven home: /usr/share/maven
> Java version: 1.6.0_37, vendor: Apple Inc.
> Java home: /System/Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home
> Default locale: en_US, platform encoding: MacRoman
> OS name: "mac os x", version: "10.8.2", arch: "x86_64", family: "mac"
> Reporter: Tony Trinh
> Fix For: 1.5
>
>
> At the "GPG Passphrase" prompt, if I hit the backspace key during the entry, the passphrase is printed in cleartext with one less character. For example:
> {code}GPG Passphrase: ******************^R
> mysecretpasswor*^R
> mysecretpasswo*^R
> mysecretpassw*^R
> mysecretpass*^R
> mysecretpas*^R
> mysecretpa*^R
> mysecretp*^R
> mysecret*^R
> mysecre*^R
> mysecr*^R
> mysec*^R
> myse*^R
> mys*^R
> my*^R
> m*^R
> *^R
> *{code}
> This can be fixed by replacing the {{MaskingThread}} with Java 6's built-in password prompt (as the [code comment|http://grepcode.com/file/repository.jboss.org/maven2/org.apache.maven.plugins/maven-gpg-plugin/1.0-alpha-4/org/apache/maven/plugin/gpg/GpgSigner.java#217] had suggested to do):
> {code:java}Console console = System.console();
> if ( console != null )
> {
> pass = new String( console.readPassword( "GPG Passphrase: " ) );
> }{code}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://jira.codehaus.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] (MGPG-41) Passphrase revealed when backspacing at prompt
Posted by "Michael Osipov (JIRA)" <ji...@codehaus.org>.
[ https://jira.codehaus.org/browse/MGPG-41?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=316331#comment-316331 ]
Michael Osipov commented on MGPG-41:
------------------------------------
I second that. One could check whether we are running 1.6 and use System.Console otherwise the thread can still be used.
> Passphrase revealed when backspacing at prompt
> ----------------------------------------------
>
> Key: MGPG-41
> URL: https://jira.codehaus.org/browse/MGPG-41
> Project: Maven 2.x and 3.x GPG Plugin
> Issue Type: Bug
> Affects Versions: 1.4
> Environment: Mac OS X Mountain Lion
> Apache Maven 3.0.3 (r1075438; 2011-02-28 11:31:09-0600)
> Maven home: /usr/share/maven
> Java version: 1.6.0_37, vendor: Apple Inc.
> Java home: /System/Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home
> Default locale: en_US, platform encoding: MacRoman
> OS name: "mac os x", version: "10.8.2", arch: "x86_64", family: "mac"
> Reporter: Tony Trinh
>
> At the "GPG Passphrase" prompt, if I hit the backspace key during the entry, the passphrase is printed in cleartext with one less character. For example:
> {code}GPG Passphrase: ******************^R
> mysecretpasswor*^R
> mysecretpasswo*^R
> mysecretpassw*^R
> mysecretpass*^R
> mysecretpas*^R
> mysecretpa*^R
> mysecretp*^R
> mysecret*^R
> mysecre*^R
> mysecr*^R
> mysec*^R
> myse*^R
> mys*^R
> my*^R
> m*^R
> *^R
> *{code}
> This can be fixed by replacing the {{MaskingThread}} with Java 6's built-in password prompt (as the [code comment|http://grepcode.com/file/repository.jboss.org/maven2/org.apache.maven.plugins/maven-gpg-plugin/1.0-alpha-4/org/apache/maven/plugin/gpg/GpgSigner.java#217] had suggested to do):
> {code:java}Console console = System.console();
> if ( console != null )
> {
> pass = new String( console.readPassword( "GPG Passphrase: " ) );
> }{code}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://jira.codehaus.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira