From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: Tino Calancha Newsgroups: gmane.emacs.bugs Subject: bug#30190: 27.0.50; term run in line mode shows user passwords Date: Sat, 10 Mar 2018 17:52:25 +0900 Message-ID: <873718qpme.fsf@gmail.com> References: <87r2qjh0fs.fsf@gmail.com> <87mv17nwe4.fsf@users.sourceforge.net> <87efm259s5.fsf@gmail.com> <83vafe9f16.fsf@gnu.org> <87wozfkt9t.fsf@gmail.com> <87o9kiejd4.fsf@gmail.com> <83606q6xr7.fsf@gnu.org> NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: blaine.gmane.org 1520671871 5762 195.159.176.226 (10 Mar 2018 08:51:11 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Sat, 10 Mar 2018 08:51:11 +0000 (UTC) User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.0.50 (gnu/linux) Cc: 30190@debbugs.gnu.org, rms@gnu.org, npostavs@users.sourceforge.net To: Eli Zaretskii Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Sat Mar 10 09:51:06 2018 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1euaDa-0001NL-En for geb-bug-gnu-emacs@m.gmane.org; Sat, 10 Mar 2018 09:51:06 +0100 Original-Received: from localhost ([::1]:49772 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1euaFd-0002cv-Ee for geb-bug-gnu-emacs@m.gmane.org; Sat, 10 Mar 2018 03:53:13 -0500 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:58901) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1euaFW-0002cd-6U for bug-gnu-emacs@gnu.org; Sat, 10 Mar 2018 03:53:07 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1euaFS-000213-3M for bug-gnu-emacs@gnu.org; Sat, 10 Mar 2018 03:53:06 -0500 Original-Received: from debbugs.gnu.org ([208.118.235.43]:45174) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1euaFR-00020q-Us for bug-gnu-emacs@gnu.org; Sat, 10 Mar 2018 03:53:02 -0500 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1euaFR-0006a9-KT for bug-gnu-emacs@gnu.org; Sat, 10 Mar 2018 03:53:01 -0500 X-Loop: help-debbugs@gnu.org Resent-From: Tino Calancha Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sat, 10 Mar 2018 08:53:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 30190 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: confirmed security Original-Received: via spool by 30190-submit@debbugs.gnu.org id=B30190.152067196125257 (code B ref 30190); Sat, 10 Mar 2018 08:53:01 +0000 Original-Received: (at 30190) by debbugs.gnu.org; 10 Mar 2018 08:52:41 +0000 Original-Received: from localhost ([127.0.0.1]:53071 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1euaF7-0006ZI-0N for submit@debbugs.gnu.org; Sat, 10 Mar 2018 03:52:41 -0500 Original-Received: from mail-pf0-f170.google.com ([209.85.192.170]:36811) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1euaF5-0006Yz-7R for 30190@debbugs.gnu.org; Sat, 10 Mar 2018 03:52:39 -0500 Original-Received: by mail-pf0-f170.google.com with SMTP id 68so2271024pfx.3 for <30190@debbugs.gnu.org>; Sat, 10 Mar 2018 00:52:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version; bh=KSsG3fhALOdL0Jq0xgwh60qj3JrQxYgVRM7tEwiPwgE=; b=TWb5yT6p6HQslB6m5mQ9u3GJO0qIFo15ysgO1uuAvDMftvPDLSvcDRhxWL3JUWT9bp 96qfCH0GKZjUJl9HzfOtgngLy84S1b7ArvdcmxomTSteQg4h4pbU/5XkTdlJoxQP9YhM AvAjcZhkBU3hn7PllJFg8Z8Why2LBXUXjfr/X6uJLfNStDK7Ksv4dpSec828CGOPD7tC yQ7hGUirkiWOqo5RU3jyShbcAZyo//oKBOH4InMY1ugoz53BdwvVVoTQrlLyJY8DRSD9 qty/b8Wp2nsM0f7I+BW/MJJGnhxvTVC9lCwli2jYTrQZrZC8fhxUbBFJmmyKJkIYQrFt N/aw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version; bh=KSsG3fhALOdL0Jq0xgwh60qj3JrQxYgVRM7tEwiPwgE=; b=irg/TZLHM1pUV5pI/FVUBaDXTYFoP8ehVINY4P2HRSnRM8IgOadnliqR/GarmV3qY7 wr4DRuKCVvI1mzrq0gUFFsrvtv4N6MdX6AUjnO9r0E12h8wBjWiOEREeG/1KBI61FPyc ux8wdSWCicn7m0lrEFjoJgEqp05rSsWbyEixBOs+sQTx5mvkTQT7Is22uvA0ooeDATAk pLc+brqIO+lju2X9y2ds/0qxmASNM7Qn0wt1B/WQ+Jx6A22+WsENkshW9Ie+S3lkJPyP ZEARtLJA5pfrdDYwtbBHX1SSsPpd2KyrHEe8Q+8bZGrW20aWdSrU78mQdMHijJSCfwIP nksg== X-Gm-Message-State: AElRT7EBCSMe7g71AKQ7eOAsXHgb2odKYI95zP6kBdeiAp/xVJ3LM+aY FKq+MrZZYbIXshuYv3Ywag8= X-Google-Smtp-Source: AG47ELsnird/WSxoHz/wHGDvXfsdMArJNyTKXr7yIwEpYORplNFwS9iQ6t1YaF6xueMUjHuUmm39TQ== X-Received: by 10.99.105.7 with SMTP id e7mr1160174pgc.193.1520671953114; Sat, 10 Mar 2018 00:52:33 -0800 (PST) Original-Received: from calancha-pc (146.219.128.101.dy.bbexcite.jp. [101.128.219.146]) by smtp.gmail.com with ESMTPSA id q87sm6995679pfa.29.2018.03.10.00.52.30 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Sat, 10 Mar 2018 00:52:32 -0800 (PST) In-Reply-To: <83606q6xr7.fsf@gnu.org> (Eli Zaretskii's message of "Wed, 21 Feb 2018 19:47:08 +0200") X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 208.118.235.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.org gmane.emacs.bugs:144096 Archived-At: Eli Zaretskii writes: >> From: Tino Calancha >> Cc: 30190@debbugs.gnu.org, Richard Stallman , npostavs@users.sourceforge.net >> Date: Wed, 21 Feb 2018 19:18:31 +0900 >> >> If anyone can show just cause why this patch cannot lawfully be joined >> together in Emacs-26 branch, let them speak now or forever hold their >> peace. Thanks for the replay, and sorry for the late response; I am quite busy guy last 2 months (next week even more :-S ). > You'll have to convince me that > 1. we really cannot live with the bug until Emacs 27. You can live with it. Many people can live with it. Indeed, this bug has been there since the addition of this lib. several releases before. I cannot live with it; any user using 'term.el' in line mode should not live with it. It's a security issue and should be taken seriously. IMO, Emacs sends the wrong message delivering a new release with a security bug, having a simple and well understood fix for it. Last week one of my teachers saw my email password in my screen. He was very serious about that, and requested me to please, _inmediately_ change my password. Ciertanly, many developers care about these kind of issues. >2. all of that is needed to fix the bug exposed by your recipe. The patch is crafted so that: * It just modifies one file, i.e. term.el. * Don't stablishes new dependencies between comint.el and term.el. With that in mind, you can how simple is the patch. It _just_ copy step by step what it is done in comint.el: term-password-prompt-regexp <--> comint-password-prompt-regexp term-output-filter-hook <--> comint-output-filter-functions term-watch-for-password-prompt <--> comint-watch-for-password-prompt Run hook 'term-output-filter-hook' in 'term-input-sender' <--> Run hook 'comint-output-filter-functions' comint-output-filter-functions 'term-send-invisible' uses `read-passwd' <--> 'send-invisible' uses `read-passwd' Run hook 'term-output-filter-hook' in 'term-emulate-terminal' <--> Run hook 'comint-output-filter-functions' in 'comint-output-filter' IMO the patch is simple, necessary and save to be included in Emacs-26. PD: Later on, for Emacs-27 we might want to reduce code duplication withing comint.el and term.el, for instance with the addition of a new file.