From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail
From: Kazuhiro Ito <kzhr@d1.dion.ne.jp>
Newsgroups: gmane.emacs.bugs
Subject: bug#49289: 28.0.50;
 auth-source-search may return doubly obfuscated :secret value
Date: Wed, 30 Jun 2021 19:18:37 +0900
Message-ID: <86lf6rejuq.wl--xmue@d1.dion.ne.jp>
Mime-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset=US-ASCII
Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214";
	logging-data="3462"; mail-complaints-to="usenet@ciao.gmane.io"
User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI-EPG/1.14.7 (Harue)
 FLIM-LB/1.14.9 (=?UTF-8?Q?Goj=C5=8D?=) APEL-LB/10.8 EasyPG/1.0.0
 Emacs/28.0.50 (x86_64-w64-mingw32) MULE/6.0 (HANACHIRUSATO)
To: 49289@debbugs.gnu.org
Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Wed Jun 30 12:19:10 2021
Return-path: <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>
Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org
Original-Received: from lists.gnu.org ([209.51.188.17])
	by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>)
	id 1lyXJF-0000nQ-LN
	for geb-bug-gnu-emacs@m.gmane-mx.org; Wed, 30 Jun 2021 12:19:09 +0200
Original-Received: from localhost ([::1]:42502 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>)
	id 1lyXJE-0004df-MB
	for geb-bug-gnu-emacs@m.gmane-mx.org; Wed, 30 Jun 2021 06:19:08 -0400
Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:46262)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1lyXJ8-0004dJ-Cl
 for bug-gnu-emacs@gnu.org; Wed, 30 Jun 2021 06:19:02 -0400
Original-Received: from debbugs.gnu.org ([209.51.188.43]:44968)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1lyXJ8-0001BK-5Q
 for bug-gnu-emacs@gnu.org; Wed, 30 Jun 2021 06:19:02 -0400
Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1lyXJ8-0000mV-2C
 for bug-gnu-emacs@gnu.org; Wed, 30 Jun 2021 06:19:02 -0400
X-Loop: help-debbugs@gnu.org
Resent-From: Kazuhiro Ito <kzhr@d1.dion.ne.jp>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@gnu.org
Resent-Date: Wed, 30 Jun 2021 10:19:01 +0000
Resent-Message-ID: <handler.49289.B.16250483362991@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: report 49289
X-GNU-PR-Package: emacs
X-Debbugs-Original-To: bug-gnu-emacs@gnu.org
Original-Received: via spool by submit@debbugs.gnu.org id=B.16250483362991
 (code B ref -1); Wed, 30 Jun 2021 10:19:01 +0000
Original-Received: (at submit) by debbugs.gnu.org; 30 Jun 2021 10:18:56 +0000
Original-Received: from localhost ([127.0.0.1]:56514 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1lyXJ2-0000mA-JS
 for submit@debbugs.gnu.org; Wed, 30 Jun 2021 06:18:56 -0400
Original-Received: from lists.gnu.org ([209.51.188.17]:57984)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <kzhr@d1.dion.ne.jp>) id 1lyXJ1-0000m3-24
 for submit@debbugs.gnu.org; Wed, 30 Jun 2021 06:18:55 -0400
Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:46220)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <kzhr@d1.dion.ne.jp>)
 id 1lyXJ0-0004P9-RJ
 for bug-gnu-emacs@gnu.org; Wed, 30 Jun 2021 06:18:54 -0400
Original-Received: from snd10013.auone-net.jp ([106.187.245.173]:7009
 helo=dmta0003.auone-net.jp)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <kzhr@d1.dion.ne.jp>)
 id 1lyXIv-0000xo-Jf
 for bug-gnu-emacs@gnu.org; Wed, 30 Jun 2021 06:18:53 -0400
Original-Received: from kzhr.d1.dion.ne.jp by dmta0003.auone-net.jp with ESMTP
 id <20210630101841250.EQDB.44995.kzhr.d1.dion.ne.jp@dmta0003.auone-net.jp>;
 Wed, 30 Jun 2021 19:18:41 +0900
X-Hashcash: 1:20:210630:bug-gnu-emacs@gnu.org::x1KQ2mqANQEww0Mv:00000000000000000000000000000000000000002Nwh
Received-SPF: pass client-ip=106.187.245.173; envelope-from=kzhr@d1.dion.ne.jp;
 helo=dmta0003.auone-net.jp
X-Spam_score_int: -18
X-Spam_score: -1.9
X-Spam_bar: -
X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_PASS=-0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: bug-gnu-emacs@gnu.org
List-Id: "Bug reports for GNU Emacs,
 the Swiss army knife of text editors" <bug-gnu-emacs.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-gnu-emacs>,
 <mailto:bug-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-gnu-emacs>
List-Post: <mailto:bug-gnu-emacs@gnu.org>
List-Help: <mailto:bug-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
 <mailto:bug-gnu-emacs-request@gnu.org?subject=subscribe>
Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org
Original-Sender: "bug-gnu-emacs"
 <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>
Xref: news.gmane.io gmane.emacs.bugs:209151
Archived-At: <http://permalink.gmane.org/gmane.emacs.bugs/209151>

When I have ~/.authinfo entry of 'mail.example.com' for user 'foo' but
not user 'bar',

~/.authinfo
machine mail.example.com login foo password abcdef

for user other than 'foo', auth-source-search returns a function which
returns a function which returns a string.

(progn
  (require 'auth-source)
  (list
   (funcall
    (plist-get
     (car (auth-source-search
	   :host "mail.example.com" :user "foo"
	   :require '(:secret) :create t))
     :secret))
   (funcall
    (funcall
     ;; *** funcall called twice. ***
     (plist-get
      (car (auth-source-search
	    :host "mail.example.com" :user "bar"
	    :require '(:secret) :create t))
      :secret)))))

-> ("abcdef" "abcdef")

I don't know whether auth-source supports multiple accounts on the
same host and whether it is a feature that auth-source-search tend to
return other user's password.  But I think doubly obfuscated :secret
value is obviously a bug.

-- 
Kazuhiro Ito