[ https://issues.apache.org/jira/browse/NET-616?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15888909#comment-15888909 ]
Sebb commented on NET-616: -------------------------- Fixing Base64#encodeBase64StringUnChunked would not solve the problem, as the password is passed in using a String. AFAICT large parts of the NET code would have to be rewritten to allow bytes (or chars?) to be used instead of a String > Heap Inspection: Passwords can be revealed from heap > ---------------------------------------------------- > > Key: NET-616 > URL: https://issues.apache.org/jira/browse/NET-616 > Project: Commons Net > Issue Type: Bug > Components: IMAP > Affects Versions: 3.6 > Reporter: Donald Kwakkel > > password is used as string in > src/main/java/org/apache/commons/net/imap/AuthenticatingIMAPClient.java. This > should be passed as bytes and be cleaned after usage. > Abstract: > The method newStringUtf8() in Base64.java stores sensitive data in a String > object, making it impossible to reliably purge the data from memory. > Explanation: > Sensitive data (such as passwords, social security numbers, credit card > numbers etc) stored in memory can be leaked if memory is not cleared after > use. Often, Strings are used store sensitive data, however, since String > objects are immutable, removing the value of a String from memory can only be > done by the JVM garbage collector. The garbage collector is not required to > run unless the JVM is low on memory, so there is no guarantee as to when > garbage collection will take place. In the event of an application crash, a > memory dump of the application might reveal sensitive data. -- This message was sent by Atlassian JIRA (v6.3.15#6346)