<Swing Dev> [jdk17] RFR: 8268775: Password is being converted to String in AccessibleJPasswordField
Alexander Zuev
kizune at openjdk.java.net
Thu Jun 24 02:36:30 UTC 2021
On Wed, 23 Jun 2021 20:37:22 GMT, Phil Race <prr at openjdk.org> wrote:
>> Here it is just a slight code cleanup. We do not need additional variable for passing value from one method to another. It serves no other purpose at all.
>
> Let me ask it this way.
> Does super.getAfterIndex(part, index) return a String with any of the password in clear text ?
> It seems to me like it might.
For CHARACTER it will return String with a single character in the corresponding position. There is a possibility that someone will iterate the entirety of the password text and get all the characters in the password as a separate strings but digging it from the memory dump is much more difficult than the singular string with the whole password.
For anything but character we do not use this method - we get password as an array of characters and - after the fix - immediately overriding them with the same number of echo characters.
-------------
PR: https://git.openjdk.java.net/jdk17/pull/127
More information about the swing-dev
mailing list