Tony Trinh created MGPG-41:
------------------------------
Summary: Passphrase revealed when backspacing at prompt
Key: MGPG-41
URL: https://jira.codehaus.org/browse/MGPG-41
Project: Maven 2.x and 3.x GPG Plugin
Issue Type: Bug
Affects Versions: 1.4
Environment: Mac OS X Mountain Lion
Apache Maven 3.0.3 (r1075438; 2011-02-28 11:31:09-0600)
Maven home: /usr/share/maven
Java version: 1.6.0_37, vendor: Apple Inc.
Java home: /System/Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home
Default locale: en_US, platform encoding: MacRoman
OS name: "mac os x", version: "10.8.2", arch: "x86_64", family: "mac"
Reporter: Tony Trinh
At the "GPG Passphrase" prompt, if I hit the backspace key during the entry,
the passphrase is printed in cleartext with one less character. For example:
{code}GPG Passphrase: ******************^R
mysecretpasswor*^R
mysecretpasswo*^R
mysecretpassw*^R
mysecretpass*^R
mysecretpas*^R
mysecretpa*^R
mysecretp*^R
mysecret*^R
mysecre*^R
mysecr*^R
mysec*^R
myse*^R
mys*^R
my*^R
m*^R
*^R
*{code}
This can be fixed by replacing the {{MaskingThread}} with Java 6's built-in
password prompt (as the [code
comment|http://grepcode.com/file/repository.jboss.org/maven2/org.apache.maven.plugins/maven-gpg-plugin/1.0-alpha-4/org/apache/maven/plugin/gpg/GpgSigner.java#217]
had suggested to do):
{code:java}Console console = System.console();
if ( console != null )
{
pass = new String( console.readPassword( "GPG Passphrase: " ) );
}{code}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://jira.codehaus.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
