RFR: 8354469: Keytool exposes the password in plain text when command is piped using | grep [v10]
Weijun Wang
weijun at openjdk.org
Mon Oct 6 15:16:54 UTC 2025
On Mon, 6 Oct 2025 14:14:31 GMT, Sean Mullan <mullan at openjdk.org> wrote:
>> Weijun Wang has updated the pull request incrementally with one additional commit since the last revision:
>>
>> update bug list in test
>
> src/java.base/share/classes/sun/security/util/Password.java line 62:
>
>> 60: consoleEntered = ConsoleHolder.readPassword();
>> 61: // readPassword returns "" if you just press ENTER with the built-in Console,
>> 62: // to be compatible with old Password class, change to null
>
> This is an odd comment - what is the "old Password class"? Maybe you just want to remove the "to be compatible with old Password class" part from this comment.
I meant to be consistent with the parse-from-inputstream behavior, but I just realized the more important check here is for null since that is a possible return value. For an empty input, even if we don't stop here, `consoleBytes` and `in` will be empty and the first `in.read()` would return -1 and `offset` stays 0 and a null will be returned.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/27196#discussion_r2406926705
More information about the client-libs-dev
mailing list