[
https://issues.apache.org/jira/browse/MNG-8398?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
James Nord updated MNG-8398:
----------------------------
Description:
Maven 3.2.1 provided a way to enter the password to be encrypted via
interactive input for security reasons.
However the implementation uses the {{java.io.Console}} API with no fallback to
stdin/stdout.
This makes it virtually impossible[1] to securely[2] encrypt a password from
another program (for example a tool that will bootstrap a {{settings.xml}} for
a corporate structure etc.
h3. Steps to reproduce
(to reproduce without any 3rd party tooling run, which is not how I would
expect this to be called, but is here to demonstrate)
{{echo n myMasterPassword |mvn -encrypt-master-password}}
h4. Expected results
{{{base64HexString}}}
h4. Actual results
{{{{{{}}{}}}}}
[1] without relying on 3rd party tools that may not be installed, eg. on Linux
you can use {{script}} (which is likely to be installed), but on windows you
have no such generally available solution
[2] without the password being showing exposed in the process list (which is
why this was implemented to begin with).
was:
Maven 3.2.1 provided a way to enter the password to be encrypted via
interactive input for security reasons.
However the implementation uses the {{java.io.Console}} API with no fallback to
stdin/stdout.
This makes it virtually impossible[1] to securely[2] encrypt a password from
another program (for example a tool that will bootstrap a {{settings.xml}} for
a corporate structure etc.
h3. Steps to reproduce
(to reproduce without any 3rd party tooling run, which is not how I would
expect this to be called, but is here to demonstrate)
{{echo n myMasterPassword |mvn -encrypt-master-password}}
h4. Expected results
{{{base64HexString}}}
h4. Actual results
{{{}}}
[1] without relying on 3rd party tools that may not be installed, eg. on Linux
you can use {{script}} (which is likely to be installed), but on windows you
have no such generally available solution
[2] without the password being showing exposed in the process list (which is
why this was implemented to begin with).
> mvn --encrypt[--master]--password should work with redirected streams
> ---------------------------------------------------------------------
>
> Key: MNG-8398
> URL: https://issues.apache.org/jira/browse/MNG-8398
> Project: Maven
> Issue Type: Improvement
> Components: Core
> Affects Versions: 3.9.9
> Reporter: James Nord
> Priority: Minor
>
> Maven 3.2.1 provided a way to enter the password to be encrypted via
> interactive input for security reasons.
> However the implementation uses the {{java.io.Console}} API with no fallback
> to stdin/stdout.
> This makes it virtually impossible[1] to securely[2] encrypt a password from
> another program (for example a tool that will bootstrap a {{settings.xml}}
> for a corporate structure etc.
>
> h3. Steps to reproduce
> (to reproduce without any 3rd party tooling run, which is not how I would
> expect this to be called, but is here to demonstrate)
> {{echo n myMasterPassword |mvn -encrypt-master-password}}
> h4. Expected results
> {{{base64HexString}}}
> h4. Actual results
> {{{{{{}}{}}}}}
>
> [1] without relying on 3rd party tools that may not be installed, eg. on
> Linux you can use {{script}} (which is likely to be installed), but on
> windows you have no such generally available solution
> [2] without the password being showing exposed in the process list (which is
> why this was implemented to begin with).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
