From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Sebastian Wiesner Newsgroups: gmane.emacs.bugs Subject: bug#17839: 24.4.50; read-passwd echoes password input in non-interactive sessions Date: Wed, 25 Jun 2014 00:55:53 +0200 Message-ID: <53FA2CB5-2009-4F77-B10D-03B16CE6D715@lunaryorn.com> References: NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.2\)) Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable X-Trace: ger.gmane.org 1403650649 14944 80.91.229.3 (24 Jun 2014 22:57:29 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Tue, 24 Jun 2014 22:57:29 +0000 (UTC) Cc: Andreas Schwab , 17839@debbugs.gnu.org To: Glenn Morris Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Wed Jun 25 00:57:22 2014 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1WzZeR-0003WV-MM for geb-bug-gnu-emacs@m.gmane.org; Wed, 25 Jun 2014 00:57:19 +0200 Original-Received: from localhost ([::1]:34153 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WzZeR-0006YT-Bx for geb-bug-gnu-emacs@m.gmane.org; Tue, 24 Jun 2014 18:57:19 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:38033) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WzZeI-0006X8-2R for bug-gnu-emacs@gnu.org; Tue, 24 Jun 2014 18:57:15 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1WzZeB-0008G5-GQ for bug-gnu-emacs@gnu.org; Tue, 24 Jun 2014 18:57:10 -0400 Original-Received: from debbugs.gnu.org ([140.186.70.43]:40350) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WzZeB-0008EM-DK for bug-gnu-emacs@gnu.org; Tue, 24 Jun 2014 18:57:03 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.80) (envelope-from ) id 1WzZeA-0000Me-I8 for bug-gnu-emacs@gnu.org; Tue, 24 Jun 2014 18:57:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Sebastian Wiesner Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Tue, 24 Jun 2014 22:57:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 17839 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: Original-Received: via spool by 17839-submit@debbugs.gnu.org id=B17839.14036505691323 (code B ref 17839); Tue, 24 Jun 2014 22:57:02 +0000 Original-Received: (at 17839) by debbugs.gnu.org; 24 Jun 2014 22:56:09 +0000 Original-Received: from localhost ([127.0.0.1]:59733 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1WzZdE-0000LB-HD for submit@debbugs.gnu.org; Tue, 24 Jun 2014 18:56:08 -0400 Original-Received: from vega.uberspace.de ([95.143.172.245]:44861) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1WzZd8-0000Kd-3D for 17839@debbugs.gnu.org; Tue, 24 Jun 2014 18:56:02 -0400 Original-Received: (qmail 20423 invoked from network); 24 Jun 2014 22:55:55 -0000 Original-Received: from localhost (HELO lunaryorn-air.fritz.box) (127.0.0.1) by vega.uberspace.de with SMTP; 24 Jun 2014 22:55:55 -0000 In-Reply-To: X-Mailer: Apple Mail (2.1878.2) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 140.186.70.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.bugs:90758 Archived-At: Am 24.06.2014 um 20:41 schrieb Glenn Morris : > Sebastian Wiesner wrote: >=20 >>> Batch mode isn't designed for interaction. It uses standard I/O, >>> oblivious to who is consuming the input. >>=20 >> In this case `read-passwd' should at least signal an error when = called >> in non-interactive mode, >=20 > I think that would be overkill. I think that `read-passwd=92 is a special case, because it *leaks a = secret* when used in non-interactive mode, and the fact that it does is = not immediately obvious. To learn this *in advance*, that is, before = actually using this function in non-interactive code, one has to = conclude from some rather abstract descriptions of Emacs=92 behavior in = the Emacs manual. >> Currently it is simply insecure in non-interactive mode, and neither >> its docstring nor the Emacs Lisp manual document that the password is >> exposed when called in non-interactive mode. >=20 > It's in the manual section on minibuffer input, and in batch mode = there > is no minibuffer. For example, read-file-name doesn't offer completion > in batch-mode. It doesn't provide history. ctrl-k doesn't work. Etc. > I see no point in mentioning these things in the doc-string of every > function that uses the mini buffer. There is a difference, I think. Completion, history, C-k, etc. are not = crucial for entering a file name, but hiding input is absolutely crucial = to entering a password securely. I can perfectly enter a file name = without history or completion, but I cannot securely enter a password if = it is shown during input. =20 So `read-file-name=92 works in non-interactive mode, albeit less = conveniently, but `read-passwd=92 arguably does not. Pointing out that non-interactive mode isn=92t designed for interaction = is right, probably, but misses the point imho. Besides, =93non-interactive=94 is a little vague. It=92s obvious that = `--batch=92 is non-interactive, but is `--script=92 as well? In other = languages, e.g. Python or Perl, scripts regularly do interaction, = including reading passwords. I think it=92s only natural that Emacs users will try to do the same in = Emacs Lisp, encouraged by the existence of `--script=92, so they=92ll = sooner or later hit this issue.=