[
https://issues.apache.org/jira/browse/MNG-8398?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Tamas Cservenak updated MNG-8398:
---------------------------------
Fix Version/s: (was: 4.0.0-rc-2)
> mvn --encrypt[--master]--password should work with redirected streams
> ---------------------------------------------------------------------
>
> Key: MNG-8398
> URL: https://issues.apache.org/jira/browse/MNG-8398
> Project: Maven
> Issue Type: Improvement
> Components: Core
> Affects Versions: 3.9.9
> Reporter: James Nord
> Priority: Minor
>
> Maven 3.2.1 provided a way to enter the password to be encrypted via
> interactive input for security reasons.
> However the implementation uses the {{java.io.Console}} API with no fallback
> to stdin/stdout.
> This makes it virtually impossible[1] to securely[2] encrypt a password from
> another program (for example a tool that will bootstrap a {{settings.xml}}
> for a corporate structure etc.
>
> h3. Steps to reproduce
> (to reproduce without any 3rd party tooling run, which is not how I would
> expect this to be called, but is here to demonstrate)
> {{echo n myMasterPassword |mvn -encrypt-master-password}}
> h4. Expected results
> {{\{base64HexString\}}}
> h4. Actual results
> {{\{\}}}
>
> [1] without relying on 3rd party tools that may not be installed, eg. on
> Linux you can use {{script}} (which is likely to be installed), but on
> windows you have no such generally available solution
> [2] without the password being showing exposed in the process list (which is
> why this was implemented to begin with).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
