<Swing Dev> [jdk17] RFR: 8268775: Password is being converted to String in AccessibleJPasswordField
Vest
github.com+1671049+vest at openjdk.java.net
Thu Jun 24 07:36:33 UTC 2021
On Wed, 23 Jun 2021 19:32:11 GMT, Alexander Zuev <kizune at openjdk.org> wrote:
>> src/java.desktop/share/classes/javax/swing/JPasswordField.java line 514:
>>
>>> 512: public String getAtIndex(int part, int index) {
>>> 513: if (part == AccessibleText.CHARACTER) {
>>> 514: return getEchoString(super.getAtIndex(part, index));
>>
>> I don't see how removing the local variable changes anything. Explanation ??
>
> Here it is just a slight code cleanup. We do not need additional variable for passing value from one method to another. It serves no other purpose at all. It was used before on the second leg of the if but the usage was removed so it became useless.
If this is about security, I don’t see how it might help. There is a chance that the heap dump might capture the content of the local variable. If you submit your heap dump to someone, whom you do not trust, I have bad news for you.
The probability of the heap dump to capture a local variable is more than zero. True, but less than probable.
I don’t know if calling same methods in a single line makes this control more secure (if we take the situation that the heap dump pauses an execution of the thread exactly at our „moment of time“). I am not a member of the project JDK, but I doubt that this PR solves something.
To me, an additional local variable adds better supportability (debugging) to this code. Otherwise everything should be put into a single fat method.
-------------
PR: https://git.openjdk.java.net/jdk17/pull/127
More information about the swing-dev
mailing list