You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@maven.apache.org by "Tony Trinh (JIRA)" <ji...@codehaus.org> on 2012/12/02 06:18:13 UTC

[jira] (MGPG-41) Passphrase revealed when backspacing at prompt

Tony Trinh created MGPG-41:
------------------------------

             Summary: Passphrase revealed when backspacing at prompt
                 Key: MGPG-41
                 URL: https://jira.codehaus.org/browse/MGPG-41
             Project: Maven 2.x and 3.x GPG Plugin
          Issue Type: Bug
    Affects Versions: 1.4
         Environment: Mac OS X Mountain Lion

Apache Maven 3.0.3 (r1075438; 2011-02-28 11:31:09-0600)
Maven home: /usr/share/maven
Java version: 1.6.0_37, vendor: Apple Inc.
Java home: /System/Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home
Default locale: en_US, platform encoding: MacRoman
OS name: "mac os x", version: "10.8.2", arch: "x86_64", family: "mac"
            Reporter: Tony Trinh


At the "GPG Passphrase" prompt, if I hit the backspace key during the entry, the passphrase is printed in cleartext with one less character. For example:

{code}GPG Passphrase: ******************^R
mysecretpasswor*^R
mysecretpasswo*^R
mysecretpassw*^R
mysecretpass*^R
mysecretpas*^R
mysecretpa*^R
mysecretp*^R
mysecret*^R
mysecre*^R
mysecr*^R
mysec*^R
myse*^R
mys*^R
my*^R
m*^R
*^R
*{code}

This can be fixed by replacing the {{MaskingThread}} with Java 6's built-in password prompt (as the [code comment|http://grepcode.com/file/repository.jboss.org/maven2/org.apache.maven.plugins/maven-gpg-plugin/1.0-alpha-4/org/apache/maven/plugin/gpg/GpgSigner.java#217] had suggested to do):

{code:java}Console console = System.console();
if ( console != null )
{
    pass = new String( console.readPassword( "GPG Passphrase:  " ) );
}{code}

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://jira.codehaus.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] (MGPG-41) Passphrase revealed when backspacing at prompt

Posted by "Olivier Lamy (JIRA)" <ji...@codehaus.org>.

     [ https://jira.codehaus.org/browse/MGPG-41?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Olivier Lamy updated MGPG-41:
-----------------------------

    Fix Version/s: 1.5
    
> Passphrase revealed when backspacing at prompt
> ----------------------------------------------
>
>                 Key: MGPG-41
>                 URL: https://jira.codehaus.org/browse/MGPG-41
>             Project: Maven 2.x and 3.x GPG Plugin
>          Issue Type: Bug
>    Affects Versions: 1.4
>         Environment: Mac OS X Mountain Lion
> Apache Maven 3.0.3 (r1075438; 2011-02-28 11:31:09-0600)
> Maven home: /usr/share/maven
> Java version: 1.6.0_37, vendor: Apple Inc.
> Java home: /System/Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home
> Default locale: en_US, platform encoding: MacRoman
> OS name: "mac os x", version: "10.8.2", arch: "x86_64", family: "mac"
>            Reporter: Tony Trinh
>             Fix For: 1.5
>
>
> At the "GPG Passphrase" prompt, if I hit the backspace key during the entry, the passphrase is printed in cleartext with one less character. For example:
> {code}GPG Passphrase: ******************^R
> mysecretpasswor*^R
> mysecretpasswo*^R
> mysecretpassw*^R
> mysecretpass*^R
> mysecretpas*^R
> mysecretpa*^R
> mysecretp*^R
> mysecret*^R
> mysecre*^R
> mysecr*^R
> mysec*^R
> myse*^R
> mys*^R
> my*^R
> m*^R
> *^R
> *{code}
> This can be fixed by replacing the {{MaskingThread}} with Java 6's built-in password prompt (as the [code comment|http://grepcode.com/file/repository.jboss.org/maven2/org.apache.maven.plugins/maven-gpg-plugin/1.0-alpha-4/org/apache/maven/plugin/gpg/GpgSigner.java#217] had suggested to do):
> {code:java}Console console = System.console();
> if ( console != null )
> {
>     pass = new String( console.readPassword( "GPG Passphrase:  " ) );
> }{code}

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://jira.codehaus.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] (MGPG-41) Passphrase revealed when backspacing at prompt

Posted by "Michael Osipov (JIRA)" <ji...@codehaus.org>.

    [ https://jira.codehaus.org/browse/MGPG-41?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=316331#comment-316331 ] 

Michael Osipov commented on MGPG-41:
------------------------------------

I second that. One could check whether we are running 1.6 and use System.Console otherwise the thread can still be used.
                
> Passphrase revealed when backspacing at prompt
> ----------------------------------------------
>
>                 Key: MGPG-41
>                 URL: https://jira.codehaus.org/browse/MGPG-41
>             Project: Maven 2.x and 3.x GPG Plugin
>          Issue Type: Bug
>    Affects Versions: 1.4
>         Environment: Mac OS X Mountain Lion
> Apache Maven 3.0.3 (r1075438; 2011-02-28 11:31:09-0600)
> Maven home: /usr/share/maven
> Java version: 1.6.0_37, vendor: Apple Inc.
> Java home: /System/Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home
> Default locale: en_US, platform encoding: MacRoman
> OS name: "mac os x", version: "10.8.2", arch: "x86_64", family: "mac"
>            Reporter: Tony Trinh
>
> At the "GPG Passphrase" prompt, if I hit the backspace key during the entry, the passphrase is printed in cleartext with one less character. For example:
> {code}GPG Passphrase: ******************^R
> mysecretpasswor*^R
> mysecretpasswo*^R
> mysecretpassw*^R
> mysecretpass*^R
> mysecretpas*^R
> mysecretpa*^R
> mysecretp*^R
> mysecret*^R
> mysecre*^R
> mysecr*^R
> mysec*^R
> myse*^R
> mys*^R
> my*^R
> m*^R
> *^R
> *{code}
> This can be fixed by replacing the {{MaskingThread}} with Java 6's built-in password prompt (as the [code comment|http://grepcode.com/file/repository.jboss.org/maven2/org.apache.maven.plugins/maven-gpg-plugin/1.0-alpha-4/org/apache/maven/plugin/gpg/GpgSigner.java#217] had suggested to do):
> {code:java}Console console = System.console();
> if ( console != null )
> {
>     pass = new String( console.readPassword( "GPG Passphrase:  " ) );
> }{code}

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://jira.codehaus.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira