Maven 2 & 3

Encryption is triggered if passwords merely contain curly braces

Details

  • Type: Bug Bug
  • Status: Closed Closed
  • Priority: Major Major
  • Resolution: Fixed
  • Affects Version/s: 2.1.0
  • Fix Version/s: 2.2.0
  • Component/s: Settings
  • Labels:
    None
  • Complexity:
    Intermediate
  • Number of attachments :
    0

Description

From what I gather, the syntax for encrypted passwords is "{...}", but encryption is also triggered for passwords containing curly braces.

Issue Links

This issue relates to:
MNG-4612 Password escpaping doesn't work Minor Open
This issue is related to:
MNG-553 Secure Storage of Server Passwords Critical Closed

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Oleg Gusakov added a comment -

This is a correct assumption.

Can you encrypt the password? Use http://maven.apache.org/guides/mini/guide-encryption.html to create master password, then encrypt this one.

Show
Oleg Gusakov added a comment - This is a correct assumption. Can you encrypt the password? Use http://maven.apache.org/guides/mini/guide-encryption.html to create master password, then encrypt this one.
Hide
Permalink
Mark Hobson added a comment -

Even if the password is something like: "foo{bar}"? When are curly braces used for encrypted passwords if they don't explicitly start and end the password?

I will try to encrypt the password, but it'd be good if this wasn't necessary.

Show
Mark Hobson added a comment - Even if the password is something like: "foo{bar}"? When are curly braces used for encrypted passwords if they don't explicitly start and end the password? I will try to encrypt the password, but it'd be good if this wasn't necessary.
Hide
Permalink
Oleg Gusakov added a comment - - edited

This was done by intention: so that security dispatcher or user can comment the password: "this password was set on 2009-03-11 and expires .. {COQLCE6DU6GtcS5P=}" and/or add additional information to be processed by the dispatcher

This all resulted from the the discussion last year - http://docs.codehaus.org/display/MAVEN/Secured+Passwords

Show
Oleg Gusakov added a comment - - edited This was done by intention: so that security dispatcher or user can comment the password: "this password was set on 2009-03-11 and expires .. {COQLCE6DU6GtcS5P=}" and/or add additional information to be processed by the dispatcher This all resulted from the the discussion last year - http://docs.codehaus.org/display/MAVEN/Secured+Passwords
Hide
Permalink
Mark Hobson added a comment -

Right, I see, no worries then. Feel free to close this issue down then thanks.

Show
Mark Hobson added a comment - Right, I see, no worries then. Feel free to close this issue down then thanks.
Hide
Permalink
Oleg Gusakov added a comment -

Looks like a misunderstanding. I will make documentation clearer on this subject.

Thank you Mark!

Show
Oleg Gusakov added a comment - Looks like a misunderstanding. I will make documentation clearer on this subject. Thank you Mark!
Hide
Permalink
Oleg Gusakov added a comment -

clarified docs in r752527

Show
Oleg Gusakov added a comment - clarified docs in r752527
Hide
Permalink
Mark Hobson added a comment - - edited

Just trying password encryption to workaround this issue but am having problems. Perhaps it'd be worth supporting an escaped syntax of backslash-curly-brace to allow curly braces to still be used in clear text passwords?

Show
Mark Hobson added a comment - - edited Just trying password encryption to workaround this issue but am having problems. Perhaps it'd be worth supporting an escaped syntax of backslash-curly-brace to allow curly braces to still be used in clear text passwords?
Hide
Permalink
Oleg Gusakov added a comment -

We are so close to 2.1.0 release that I'd rather not change anything short of a regression.

Maybe you can re-issue this password? That will buy me some time to fix this long term ..

Show
Oleg Gusakov added a comment - We are so close to 2.1.0 release that I'd rather not change anything short of a regression. Maybe you can re-issue this password? That will buy me some time to fix this long term ..
Hide
Permalink
Mark Hobson added a comment -

Sure, no rush for 2.1.0; I got password encryption working in the end. Do you want me to raise another issue for escaping curly braces or to reopen and rename this one?

Show
Mark Hobson added a comment - Sure, no rush for 2.1.0; I got password encryption working in the end. Do you want me to raise another issue for escaping curly braces or to reopen and rename this one?
Hide
Permalink
Oleg Gusakov added a comment -

reopen to fix curly brackets in the clear text passwords

Show
Oleg Gusakov added a comment - reopen to fix curly brackets in the clear text passwords
Hide
Permalink
John Casey added a comment -

This has been implemented in plexus-cipher 1.4-SNAPSHOT, which is a dependency of plexus-sec-dispatcher 1.3-SNAPSHOT. I'll release both of these before we start pulling together the Maven 2.1.1 release.

Show
John Casey added a comment - This has been implemented in plexus-cipher 1.4-SNAPSHOT, which is a dependency of plexus-sec-dispatcher 1.3-SNAPSHOT. I'll release both of these before we start pulling together the Maven 2.1.1 release.
Hide
Permalink
John Casey added a comment -

escape character is '\'. See http://maven.apache.org/guides/mini/guide-encryption.html#Tips for more (once this is deployed to the public website).

Show
John Casey added a comment - escape character is '\'. See http://maven.apache.org/guides/mini/guide-encryption.html#Tips for more (once this is deployed to the public website).
Hide
Permalink
Benjamin Bentmann added a comment -

Escaping mechanism found to be ineffective (MNG-4612).

Show
Benjamin Bentmann added a comment - Escaping mechanism found to be ineffective (MNG-4612).

People

Vote (0)
Watch (0)

Dates

  • Created:
    Updated:
    Resolved:
Atlassian JIRA (v4.4.3#663-r165197) | Report a problem
Powered by a free Atlassian JIRA open source license for Codehaus. Try JIRA - bug tracking software for your team.