[
https://issues.jboss.org/browse/SECURITY-771?page=com.atlassian.jira.plug...
]
Ivo Studensky edited comment on SECURITY-771 at 12/4/13 3:09 AM:
-----------------------------------------------------------------
I've prepared a patch which introduce a new password option {{\{CMD\}}} based on
ProcessBuilder. It takes a command delimited by comma. The comma itself can be backslashed
to omit it from splitting.
The javadoc snippet:
{noformat}
* '{CMD}...' or '{CMDC}...' for a general command to execute. The
general
* command is a string delimited by ',' where the first part is the actual
* command and further parts represents its parameters. The comma can be
* backslashed in order to keep it as a part of the parameter.
{noformat}
For backward compatibility reasons the current {{\{EXT\}}} implementation remains the
same.
was (Author: istudens):
I've prepared a patch which introduce a new password option {{\{CMD\}}} based on
ProcessBuilder. It takes a command delimited by comma. The comma itself can be backslashed
to omit it from splitting.
The javadoc snippet:
{noformat}
* '{CMD}...' or '{CMDC}...' for a general command to execute. The
general
* command is a string delimited by ',' where the first part is the actual
* command and further parts represents its parameters. The comma can be
* backslashed in order to keep it as a part of the parameter.
{noformat}
For backward compatibility reasons the current '{EXT}' implementation remains the
same.
Enable white-space in parameters for external password command
--------------------------------------------------------------
Key: SECURITY-771
URL:
https://issues.jboss.org/browse/SECURITY-771
Project: PicketBox
Issue Type: Feature Request
Security Level: Public(Everyone can see)
Components: JBossSX
Affects Versions: PicketBox_4_0_19.Final
Reporter: Ivo Studensky
Assignee: Ivo Studensky
The current implementation of the loading the external password by a command uses
Runtime.exec() which denies to pass a parameter which contains a white-space to the
command, see {EXT} in org.jboss.security.Util#loadPassword(String).
It would be nice to provide a new implementation based on ProcessBuilder.
For example, various ssh-askpass implementations requires a parameter like 'Enter
passphrase for ...'. Without the ability to directly pass such a parameter customers
are pushed to create a "script in the middle" which makes their application
unnecessarily complicated.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see:
http://www.atlassian.com/software/jira