Uploaded image for project: 'Maven'
  1. Maven
  2. MNG-4612

Password escaping doesn't work

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Minor
    • Resolution: Incomplete
    • 2.2.1, 3.0-alpha-7
    • None
    • Settings
    • None

    Description

      In MNG-4611 some user presented a cleartext password of the form

      {DESede}y+qq...==

      Given the presence of braces, this password needs to be escaped to be used as a cleartext password. However, the escaping syntax documented in Maven Password Encryption is broken. Trying the documented way of putting in backslashes and embedding the entire string again in braces like

      {\{DESede\}y+qq...==}

      yields

      [WARNING] Not decrypting password for server 'maven-core-it' due to exception in security handler.
Cause: null
[DEBUG] Full trace follows
org.sonatype.plexus.components.sec.dispatcher.SecDispatcherException:
org.sonatype.plexus.components.cipher.PlexusCipherException:
java.lang.ArrayIndexOutOfBoundsException
        at org.sonatype.plexus.components.sec.dispatcher.DefaultSecDispatcher.decrypt(DefaultSecDispatcher.java:121)
        at org.apache.maven.DefaultMaven.resolveParameters(DefaultMaven.java:738)
        at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:250)
        at org.apache.maven.DefaultMaven.execute(DefaultMaven.java:138)
        at org.apache.maven.cli.MavenCli.main(MavenCli.java:362)
        at org.apache.maven.cli.compat.CompatibleMain.main(CompatibleMain.java:60)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:592)
        at org.codehaus.classworlds.Launcher.launchEnhanced(Launcher.java:315)
        at org.codehaus.classworlds.Launcher.launch(Launcher.java:255)
        at org.codehaus.classworlds.Launcher.mainWithExitCode(Launcher.java:430)
        at org.codehaus.classworlds.Launcher.main(Launcher.java:375)
Caused by: org.sonatype.plexus.components.cipher.PlexusCipherException: java.lang.ArrayIndexOutOfBoundsException
        at org.sonatype.plexus.components.cipher.PBECipher.decrypt64(PBECipher.java:193)
        at org.sonatype.plexus.components.cipher.DefaultPlexusCipher.decrypt(DefaultPlexusCipher.java:72)
        at org.sonatype.plexus.components.sec.dispatcher.DefaultSecDispatcher.decrypt(DefaultSecDispatcher.java:96)
        ... 13 more
Caused by: java.lang.ArrayIndexOutOfBoundsException
        at java.lang.System.arraycopy(Native Method)
        at org.sonatype.plexus.components.cipher.PBECipher.decrypt64(PBECipher.java:175)
        ... 15 more

      Trying without the surrounding braces as suggested by the source code

      \{DESede\}y+qq...==

      successfully prevents decryption, but the string isn't unescaped either, making Maven use a wrong password.

      Attachments

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. MNG-4082 Encryption is triggered if passwords merely contain curly braces

          • Major - Major loss of function.
          • Closed

          Improvement - An improvement or enhancement to an existing feature or task. MNG-4626 Password encryption escaped mechanism doesn't work as advertised

          • Major - Major loss of function.
          • Closed

          Activity

            People

              Unassigned Unassigned
              bentmann Benjamin Bentmann
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: