[
https://jira.codehaus.org/browse/MGPG-41?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Stephen Connolly closed MGPG-41.
--------------------------------
Resolution: Fixed
Assignee: Stephen Connolly
r1570549
Fixed for JVM 1.6+ using reflection. Bug will still be present on JVM 1.5
fallback code path
> Passphrase revealed when backspacing at prompt
> ----------------------------------------------
>
> Key: MGPG-41
> URL: https://jira.codehaus.org/browse/MGPG-41
> Project: Maven GPG Plugin
> Issue Type: Bug
> Affects Versions: 1.4
> Environment: Mac OS X Mountain Lion
> Apache Maven 3.0.3 (r1075438; 2011-02-28 11:31:09-0600)
> Maven home: /usr/share/maven
> Java version: 1.6.0_37, vendor: Apple Inc.
> Java home: /System/Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home
> Default locale: en_US, platform encoding: MacRoman
> OS name: "mac os x", version: "10.8.2", arch: "x86_64", family: "mac"
> Reporter: Tony Trinh
> Assignee: Stephen Connolly
> Fix For: 1.5
>
>
> At the "GPG Passphrase" prompt, if I hit the backspace key during the entry,
> the passphrase is printed in cleartext with one less character. For example:
> {code}GPG Passphrase: ******************^R
> mysecretpasswor*^R
> mysecretpasswo*^R
> mysecretpassw*^R
> mysecretpass*^R
> mysecretpas*^R
> mysecretpa*^R
> mysecretp*^R
> mysecret*^R
> mysecre*^R
> mysecr*^R
> mysec*^R
> myse*^R
> mys*^R
> my*^R
> m*^R
> *^R
> *{code}
> This can be fixed by replacing the {{MaskingThread}} with Java 6's built-in
> password prompt (as the [code
> comment|http://grepcode.com/file/repository.jboss.org/maven2/org.apache.maven.plugins/maven-gpg-plugin/1.0-alpha-4/org/apache/maven/plugin/gpg/GpgSigner.java#217]
> had suggested to do):
> {code:java}Console console = System.console();
> if ( console != null )
> {
> pass = new String( console.readPassword( "GPG Passphrase: " ) );
> }{code}
--
This message was sent by Atlassian JIRA
(v6.1.6#6162)
