RFR: 8354469: Keytool exposes the password in plain text when command is piped using | grep [v10]
Sean Mullan
mullan at openjdk.org
Mon Oct 6 14:53:50 UTC 2025
On Fri, 26 Sep 2025 22:59:32 GMT, Weijun Wang <weijun at openjdk.org> wrote:
>> Allow password hiding even if there is no `System.console`. A manual test is included.
>
> Weijun Wang has updated the pull request incrementally with one additional commit since the last revision:
>
> update bug list in test
src/java.base/share/classes/sun/security/util/Password.java line 62:
> 60: consoleEntered = ConsoleHolder.readPassword();
> 61: // readPassword returns "" if you just press ENTER with the built-in Console,
> 62: // to be compatible with old Password class, change to null
This is an odd comment - what is the "old Password class"? Maybe you just want to remove the "to be compatible with old Password class" part from this comment.
test/jdk/sun/security/tools/keytool/EchoPassword.java line 1:
> 1: /*
In this test, where are you verifying that a warning is shown when the input is echoed?
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/27196#discussion_r2406585327
PR Review Comment: https://git.openjdk.org/jdk/pull/27196#discussion_r2406794334
More information about the client-libs-dev
mailing list