-
Bug
-
Resolution: Fixed
-
P3
-
8, 11, 17, 21, 24, 25
-
b10
-
generic
-
os_x
| Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
|---|---|---|---|---|---|---|
| JDK-8366170 | 25.0.2 | Alexey Ivanov | P3 | Resolved | Fixed | master |
ADDITIONAL SYSTEM INFORMATION :
Observed using Aqua L&F on Mac, using JDK25
A DESCRIPTION OF THE PROBLEM :
Other tickets (such as 8354646, 6191897) point out that users should not be able to identify where spaces are in a JPasswordField.
On Mac I'm still able to identify some information about whitespace with keyboard shortcuts like ALT + BACKSPACE.
(I haven't tested this on other L&Fs yet.)
I think (?) resolving this may involve updating getPasswordFieldInputMap()
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Run the attached source code. If it identifies KeyStrokes: try using those in the JPasswordField to identify where spaces are in the in password.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
No keystrokes should help you identify where spaces are in the password. (This test should probably not even output KeyStrokes to the console.)
ACTUAL -
The test writes this to the console, and each keyboard shortcuts identifies word boundaries:
```
delete-previous-word (alt pressed BACK_SPACE)
delete-previous-word (ctrl pressed W)
delete-next-word (alt pressed DELETE)
Try using the above KeyStrokes to identify the boundary of words in the JPasswordField
```
---------- BEGIN SOURCE ----------
import javax.swing.*;
import javax.swing.text.DefaultEditorKit;
import java.awt.event.ActionEvent;
public class PasswordSelectionWordTest {
public static void main(String[] args) throws Exception {
SwingUtilities.invokeAndWait(() -> {
String str = "one two three";
JPasswordField field = new JPasswordField(str);
boolean foundSuspiciousInputs = false;
for (int condition : new int[] {
JComponent.WHEN_IN_FOCUSED_WINDOW,
JComponent.WHEN_FOCUSED,
JComponent.WHEN_ANCESTOR_OF_FOCUSED_COMPONENT
}) {
InputMap inputMap = field.getInputMap(condition);
if (inputMap.allKeys() == null)
continue;
for (KeyStroke keyStroke : inputMap.allKeys()) {
Object actionBinding = inputMap.get(keyStroke);
if (String.valueOf(actionBinding).contains("word")) {
System.out.println(inputMap.get(keyStroke) + " (" + keyStroke + ")");
foundSuspiciousInputs = true;
}
}
}
if (!foundSuspiciousInputs) {
System.out.println("No suspicious KeyStrokes detected; this test passes.");
System.exit(0);
}
System.out.println("\n\nTry using the above KeyStrokes to identify the boundary of words in the JPasswordField");
JFrame f = new JFrame();
f.getContentPane().add(field);
f.pack();
f.setVisible(true);
});
}
}
---------- END SOURCE ----------
Observed using Aqua L&F on Mac, using JDK25
A DESCRIPTION OF THE PROBLEM :
Other tickets (such as 8354646, 6191897) point out that users should not be able to identify where spaces are in a JPasswordField.
On Mac I'm still able to identify some information about whitespace with keyboard shortcuts like ALT + BACKSPACE.
(I haven't tested this on other L&Fs yet.)
I think (?) resolving this may involve updating getPasswordFieldInputMap()
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Run the attached source code. If it identifies KeyStrokes: try using those in the JPasswordField to identify where spaces are in the in password.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
No keystrokes should help you identify where spaces are in the password. (This test should probably not even output KeyStrokes to the console.)
ACTUAL -
The test writes this to the console, and each keyboard shortcuts identifies word boundaries:
```
delete-previous-word (alt pressed BACK_SPACE)
delete-previous-word (ctrl pressed W)
delete-next-word (alt pressed DELETE)
Try using the above KeyStrokes to identify the boundary of words in the JPasswordField
```
---------- BEGIN SOURCE ----------
import javax.swing.*;
import javax.swing.text.DefaultEditorKit;
import java.awt.event.ActionEvent;
public class PasswordSelectionWordTest {
public static void main(String[] args) throws Exception {
SwingUtilities.invokeAndWait(() -> {
String str = "one two three";
JPasswordField field = new JPasswordField(str);
boolean foundSuspiciousInputs = false;
for (int condition : new int[] {
JComponent.WHEN_IN_FOCUSED_WINDOW,
JComponent.WHEN_FOCUSED,
JComponent.WHEN_ANCESTOR_OF_FOCUSED_COMPONENT
}) {
InputMap inputMap = field.getInputMap(condition);
if (inputMap.allKeys() == null)
continue;
for (KeyStroke keyStroke : inputMap.allKeys()) {
Object actionBinding = inputMap.get(keyStroke);
if (String.valueOf(actionBinding).contains("word")) {
System.out.println(inputMap.get(keyStroke) + " (" + keyStroke + ")");
foundSuspiciousInputs = true;
}
}
}
if (!foundSuspiciousInputs) {
System.out.println("No suspicious KeyStrokes detected; this test passes.");
System.exit(0);
}
System.out.println("\n\nTry using the above KeyStrokes to identify the boundary of words in the JPasswordField");
JFrame f = new JFrame();
f.getContentPane().add(field);
f.pack();
f.setVisible(true);
});
}
}
---------- END SOURCE ----------
- backported by
-
JDK-8366170 JPasswordField identifies spaces in password via delete shortcuts
-
- Resolved
-
- relates to
-
-
- Resolved
-
- links to
-
Commit(master)
openjdk/jdk25u/a93fadb1
-
Commit(master)
openjdk/jdk/8d73fe91
-
Review(master)
openjdk/jdk25u/132
-
Review(master)
openjdk/jdk/25688
(1 links to)