[jboss-jira] [JBoss JIRA] (SECURITY-771) Enable white-space in parameters for external password command

Ivo Studensky (JIRA) jira-events at lists.jboss.org
Wed Dec 4 03:10:06 EST 2013 

    [ https://issues.jboss.org/browse/SECURITY-771?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12928445#comment-12928445 ] 

Ivo Studensky commented on SECURITY-771:
----------------------------------------

I've prepared a patch which introduce a new password option {{\{CMD\}}} based on ProcessBuilder. It takes a command delimited by comma. The comma itself can be backslashed to omit it from splitting.

The javadoc snippet:
{noformat}
    * '{CMD}...' or '{CMDC}...' for a general command to execute. The general
    * command is a string delimited by ',' where the first part is the actual
    * command and further parts represents its parameters. The comma can be
    * backslashed in order to keep it as a part of the parameter.
{noformat}
 
For backward compatibility reasons the current '{EXT}' implementation remains the same.
                
> Enable white-space in parameters for external password command
> --------------------------------------------------------------
>
>                 Key: SECURITY-771
>                 URL: https://issues.jboss.org/browse/SECURITY-771
>             Project: PicketBox 
>          Issue Type: Feature Request
>      Security Level: Public(Everyone can see) 
>          Components: JBossSX
>    Affects Versions: PicketBox_4_0_19.Final
>            Reporter: Ivo Studensky
>            Assignee: Ivo Studensky
>
> The current implementation of the loading the external password by a command uses Runtime.exec() which denies to pass a parameter which contains a white-space to the command, see {EXT} in org.jboss.security.Util#loadPassword(String). 
> It would be nice to provide a new implementation based on ProcessBuilder.
> For example, various ssh-askpass implementations requires a parameter like 'Enter passphrase for ...'. Without the ability to directly pass such a parameter customers are pushed to create a "script in the middle" which makes their application unnecessarily complicated.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list