From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: Eli Zaretskii Newsgroups: gmane.emacs.bugs Subject: bug#30190: 27.0.50; term run in line mode shows user passwords Date: Sat, 10 Mar 2018 12:25:08 +0200 Message-ID: <83a7vgut17.fsf@gnu.org> References: <87r2qjh0fs.fsf@gmail.com> <87mv17nwe4.fsf@users.sourceforge.net> <87efm259s5.fsf@gmail.com> <83vafe9f16.fsf@gnu.org> <87wozfkt9t.fsf@gmail.com> <87o9kiejd4.fsf@gmail.com> <83606q6xr7.fsf@gnu.org> <873718qpme.fsf@gmail.com> Reply-To: Eli Zaretskii NNTP-Posting-Host: blaine.gmane.org X-Trace: blaine.gmane.org 1520677456 16970 195.159.176.226 (10 Mar 2018 10:24:16 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Sat, 10 Mar 2018 10:24:16 +0000 (UTC) Cc: 30190@debbugs.gnu.org, rms@gnu.org, npostavs@users.sourceforge.net To: Tino Calancha Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Sat Mar 10 11:24:12 2018 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eubfc-00049N-4M for geb-bug-gnu-emacs@m.gmane.org; Sat, 10 Mar 2018 11:24:08 +0100 Original-Received: from localhost ([::1]:50165 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eubhd-0006Un-84 for geb-bug-gnu-emacs@m.gmane.org; Sat, 10 Mar 2018 05:26:13 -0500 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:43567) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eubhX-0006Uh-K4 for bug-gnu-emacs@gnu.org; Sat, 10 Mar 2018 05:26:08 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eubhS-0000Nv-FU for bug-gnu-emacs@gnu.org; Sat, 10 Mar 2018 05:26:07 -0500 Original-Received: from debbugs.gnu.org ([208.118.235.43]:45239) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1eubhS-0000Np-B4 for bug-gnu-emacs@gnu.org; Sat, 10 Mar 2018 05:26:02 -0500 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1eubhS-0000c3-5C for bug-gnu-emacs@gnu.org; Sat, 10 Mar 2018 05:26:02 -0500 X-Loop: help-debbugs@gnu.org Resent-From: Eli Zaretskii Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sat, 10 Mar 2018 10:26:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 30190 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: confirmed security Original-Received: via spool by 30190-submit@debbugs.gnu.org id=B30190.15206775512336 (code B ref 30190); Sat, 10 Mar 2018 10:26:02 +0000 Original-Received: (at 30190) by debbugs.gnu.org; 10 Mar 2018 10:25:51 +0000 Original-Received: from localhost ([127.0.0.1]:53136 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eubhH-0000bb-13 for submit@debbugs.gnu.org; Sat, 10 Mar 2018 05:25:51 -0500 Original-Received: from eggs.gnu.org ([208.118.235.92]:52556) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eubhF-0000bP-Sn for 30190@debbugs.gnu.org; Sat, 10 Mar 2018 05:25:50 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eubh5-0000Es-OE for 30190@debbugs.gnu.org; Sat, 10 Mar 2018 05:25:44 -0500 Original-Received: from fencepost.gnu.org ([2001:4830:134:3::e]:53463) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eubgs-0008O5-Mw; Sat, 10 Mar 2018 05:25:26 -0500 Original-Received: from [176.228.60.248] (port=2788 helo=home-c4e4a596f7) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1eubgb-0006qD-87; Sat, 10 Mar 2018 05:25:10 -0500 In-reply-to: <873718qpme.fsf@gmail.com> (message from Tino Calancha on Sat, 10 Mar 2018 17:52:25 +0900) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 208.118.235.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.org gmane.emacs.bugs:144097 Archived-At: > From: Tino Calancha > Cc: 30190@debbugs.gnu.org, rms@gnu.org, npostavs@users.sourceforge.net > Date: Sat, 10 Mar 2018 17:52:25 +0900 > > > You'll have to convince me that > > 1. we really cannot live with the bug until Emacs 27. > You can live with it. Many people can live with it. Indeed, this bug > has been there since the addition of this lib. several releases before. > > I cannot live with it; any user using 'term.el' in line mode > should not live with it. It's a security issue and should be > taken seriously. IMO, Emacs sends the wrong message delivering a new > release with a security bug, having a simple and well understood > fix for it. > > Last week one of my teachers saw my email password in my screen. He > was very serious about that, and requested me to please, _inmediately_ > change my password. Ciertanly, many developers care about these kind > of issues. > > >2. all of that is needed to fix the bug exposed by your recipe. > The patch is crafted so that: > * It just modifies one file, i.e. term.el. > * Don't stablishes new dependencies between comint.el and term.el. > > With that in mind, you can how simple is the patch. It _just_ copy > step by step what it is done in comint.el: Here's what bothers me about the patch: . it installs the filter even when term.el is not in line mode . it uses many constructs in term-password-prompt-regexp that could happen in unrelated text--does that mean such unrelated text will become invisible, thus making the session at least look buggy? The 2nd issue looks to me like a more serious one, unless I'm missing something. Is it possible to make sure we don't mistakenly take some innocent text as a password? Did you try in your testing to type text that matches this regexp, and if so, what did you see as result?