[
https://issues.apache.org/jira/browse/NET-616?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15888909#comment-15888909
]
Sebb commented on NET-616:
--------------------------
Fixing Base64#encodeBase64StringUnChunked would not solve the problem, as the
password is passed in using a String.
AFAICT large parts of the NET code would have to be rewritten to allow bytes
(or chars?) to be used instead of a String
> Heap Inspection: Passwords can be revealed from heap
> ----------------------------------------------------
>
> Key: NET-616
> URL: https://issues.apache.org/jira/browse/NET-616
> Project: Commons Net
> Issue Type: Bug
> Components: IMAP
> Affects Versions: 3.6
> Reporter: Donald Kwakkel
>
> password is used as string in
> src/main/java/org/apache/commons/net/imap/AuthenticatingIMAPClient.java. This
> should be passed as bytes and be cleaned after usage.
> Abstract:
> The method newStringUtf8() in Base64.java stores sensitive data in a String
> object, making it impossible to reliably purge the data from memory.
> Explanation:
> Sensitive data (such as passwords, social security numbers, credit card
> numbers etc) stored in memory can be leaked if memory is not cleared after
> use. Often, Strings are used store sensitive data, however, since String
> objects are immutable, removing the value of a String from memory can only be
> done by the JVM garbage collector. The garbage collector is not required to
> run unless the JVM is low on memory, so there is no guarantee as to when
> garbage collection will take place. In the event of an application crash, a
> memory dump of the application might reveal sensitive data.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
