[
https://issues.apache.org/jira/browse/KARAF-4199?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jean-Baptiste Onofré updated KARAF-4199:
----------------------------------------
Fix Version/s: 4.0.6
4.1.0
> Privacy Violation: Heap Inspection
> ----------------------------------
>
> Key: KARAF-4199
> URL: https://issues.apache.org/jira/browse/KARAF-4199
> Project: Karaf
> Issue Type: Bug
> Affects Versions: 4.0.3
> Reporter: Eduardo Aguinaga
> Assignee: Jean-Baptiste Onofré
> Fix For: 4.1.0, 4.0.6
>
>
> HP Fortify and SciTools Understand were used to perform an application
> security scan on the karaf source code.
> The method interactive() in Main.java stores sensitive data in a String
> object on line 127, making it impossible to reliably purge the data from
> memory.
> Main.java, lines 120-137:
> {code}
> 120 public String[] interactive(String destination, String name, String
> instruction, String[] prompt, boolean[] echo) {
> 121 String[] answers = new String[prompt.length];
> 122 try {
> 123 for (int i = 0; i < prompt.length; i++) {
> 124 if (echo[i]) {
> 125 answers[i] = console.readLine(prompt[i] + " ");
> 126 } else {
> 127 answers[i] = new String(console.readPassword(prompt[i] +
> " "));
> 128 }
> 129 if (answers[i] == null) {
> 130 return null;
> 131 }
> 132 }
> 133 return answers;
> 134 } catch (IOError e) {
> 135 return null;
> 136 }
> 137 }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
