* Re: [Emacs-diffs] trunk r115434: * subr.el (read-passwd): Disable show-paren-mode.
[not found] <E1Vpqlh-0007jZ-DD@vcs.savannah.gnu.org>
@ 2013-12-10 2:36 ` Stefan Monnier
2013-12-10 3:52 ` Eli Zaretskii
` (2 more replies)
0 siblings, 3 replies; 14+ messages in thread
From: Stefan Monnier @ 2013-12-10 2:36 UTC (permalink / raw)
To: Leo Liu; +Cc: emacs-devel
> * subr.el (read-passwd): Disable show-paren-mode.
Should we disable show-paren-mode's highlighting when the paren is
covered by a `display' property?
Stefan
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [Emacs-diffs] trunk r115434: * subr.el (read-passwd): Disable show-paren-mode.
2013-12-10 2:36 ` [Emacs-diffs] trunk r115434: * subr.el (read-passwd): Disable show-paren-mode Stefan Monnier
@ 2013-12-10 3:52 ` Eli Zaretskii
2013-12-10 7:52 ` martin rudalics
[not found] ` <<83siu1xszu.fsf@gnu.org>
2013-12-10 4:12 ` Leo Liu
2 siblings, 1 reply; 14+ messages in thread
From: Eli Zaretskii @ 2013-12-10 3:52 UTC (permalink / raw)
To: Stefan Monnier; +Cc: sdl.web, emacs-devel
> From: Stefan Monnier <monnier@IRO.UMontreal.CA>
> Date: Mon, 09 Dec 2013 21:36:46 -0500
> Cc: emacs-devel@gnu.org
>
> > * subr.el (read-passwd): Disable show-paren-mode.
>
> Should we disable show-paren-mode's highlighting when the paren is
> covered by a `display' property?
It's not just show-paren-mode. It's any mode that looks at buffer
text disregarding the display properties.
For that reason, I think read-passwd should use a completely different
implementation, because otherwise it will reveal the secrets with the
next random Emacs feature.
As for your question, I believe the answer is YES, we should not
highlight parentheses covered by display properties.
^ permalink raw reply [flat|nested] 14+ messages in thread
* RE: [Emacs-diffs] trunk r115434: * subr.el (read-passwd): Disable show-paren-mode.
[not found] ` <<83siu1xszu.fsf@gnu.org>
@ 2013-12-10 3:59 ` Drew Adams
0 siblings, 0 replies; 14+ messages in thread
From: Drew Adams @ 2013-12-10 3:59 UTC (permalink / raw)
To: Eli Zaretskii, Stefan Monnier; +Cc: sdl.web, emacs-devel
> > Should we disable show-paren-mode's highlighting when the paren is
> > covered by a `display' property?
>
> It's not just show-paren-mode. It's any mode that looks at buffer
> text disregarding the display properties.
>
> For that reason, I think read-passwd should use a completely different
> implementation, because otherwise it will reveal the secrets with the
> next random Emacs feature.
Just what I was thinking (but in my case only in vague terms).
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [Emacs-diffs] trunk r115434: * subr.el (read-passwd): Disable show-paren-mode.
2013-12-10 2:36 ` [Emacs-diffs] trunk r115434: * subr.el (read-passwd): Disable show-paren-mode Stefan Monnier
2013-12-10 3:52 ` Eli Zaretskii
[not found] ` <<83siu1xszu.fsf@gnu.org>
@ 2013-12-10 4:12 ` Leo Liu
2013-12-10 16:35 ` Eli Zaretskii
2 siblings, 1 reply; 14+ messages in thread
From: Leo Liu @ 2013-12-10 4:12 UTC (permalink / raw)
To: Stefan Monnier; +Cc: emacs-devel
On 2013-12-10 10:36 +0800, Stefan Monnier wrote:
> Should we disable show-paren-mode's highlighting when the paren is
> covered by a `display' property?
>
>
> Stefan
I have no opinion either way. read-passwd is really a special case where
emacs should reveal as little as possible. In other cases the highlight
might be helpful.
Leo
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [Emacs-diffs] trunk r115434: * subr.el (read-passwd): Disable show-paren-mode.
2013-12-10 3:52 ` Eli Zaretskii
@ 2013-12-10 7:52 ` martin rudalics
2013-12-11 4:29 ` Stefan Monnier
0 siblings, 1 reply; 14+ messages in thread
From: martin rudalics @ 2013-12-10 7:52 UTC (permalink / raw)
To: Eli Zaretskii; +Cc: emacs-devel, Stefan Monnier, sdl.web
> For that reason, I think read-passwd should use a completely different
> implementation, because otherwise it will reveal the secrets with the
> next random Emacs feature.
IMO read-passwd should be in C and strip any extraneous
text-properties and overlays after running all hooks.
martin
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [Emacs-diffs] trunk r115434: * subr.el (read-passwd): Disable show-paren-mode.
2013-12-10 4:12 ` Leo Liu
@ 2013-12-10 16:35 ` Eli Zaretskii
2013-12-10 17:51 ` Josh
2013-12-11 0:03 ` Leo Liu
0 siblings, 2 replies; 14+ messages in thread
From: Eli Zaretskii @ 2013-12-10 16:35 UTC (permalink / raw)
To: Leo Liu; +Cc: monnier, emacs-devel
> From: Leo Liu <sdl.web@gmail.com>
> Date: Tue, 10 Dec 2013 12:12:35 +0800
> Cc: emacs-devel@gnu.org
>
> On 2013-12-10 10:36 +0800, Stefan Monnier wrote:
> > Should we disable show-paren-mode's highlighting when the paren is
> > covered by a `display' property?
> >
> >
> > Stefan
>
> I have no opinion either way. read-passwd is really a special case where
> emacs should reveal as little as possible. In other cases the highlight
> might be helpful.
Maybe you could suggest a couple of such cases, because I cannot think
of one. We are talking about highlighting parentheses that are not
displayed because some display property is displayed instead, right?
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [Emacs-diffs] trunk r115434: * subr.el (read-passwd): Disable show-paren-mode.
2013-12-10 16:35 ` Eli Zaretskii
@ 2013-12-10 17:51 ` Josh
2013-12-10 18:17 ` Eli Zaretskii
2013-12-11 0:03 ` Leo Liu
1 sibling, 1 reply; 14+ messages in thread
From: Josh @ 2013-12-10 17:51 UTC (permalink / raw)
To: Eli Zaretskii; +Cc: emacs-devel, Leo Liu, Stefan Monnier
[-- Attachment #1: Type: text/plain, Size: 1142 bytes --]
On Dec 10, 2013 8:35 AM, "Eli Zaretskii" <eliz@gnu.org> wrote:
>
> > From: Leo Liu <sdl.web@gmail.com>
> > Date: Tue, 10 Dec 2013 12:12:35 +0800
> > Cc: emacs-devel@gnu.org
> >
> > On 2013-12-10 10:36 +0800, Stefan Monnier wrote:
> > > Should we disable show-paren-mode's highlighting when the paren is
> > > covered by a `display' property?
> > >
> > >
> > > Stefan
> >
> > I have no opinion either way. read-passwd is really a special case where
> > emacs should reveal as little as possible. In other cases the highlight
> > might be helpful.
>
> Maybe you could suggest a couple of such cases, because I cannot think
> of one. We are talking about highlighting parentheses that are not
> displayed because some display property is displayed instead, right?
Isn't it the case that such parentheses would sometimes be displayed in
conjunction with conditional display specs., i.e. (when condition . spec)?
Also, I'd also expect show-paren-mode to affect parentheses having
display properties like ‘raise' and ’height' that change the appearance
of parentheses but do not display something else entirely.
[-- Attachment #2: Type: text/html, Size: 1535 bytes --]
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [Emacs-diffs] trunk r115434: * subr.el (read-passwd): Disable show-paren-mode.
2013-12-10 17:51 ` Josh
@ 2013-12-10 18:17 ` Eli Zaretskii
0 siblings, 0 replies; 14+ messages in thread
From: Eli Zaretskii @ 2013-12-10 18:17 UTC (permalink / raw)
To: Josh; +Cc: emacs-devel, sdl.web, monnier
> Date: Tue, 10 Dec 2013 09:51:02 -0800
> From: Josh <josh@foxtail.org>
> Cc: Leo Liu <sdl.web@gmail.com>, Stefan Monnier <monnier@iro.umontreal.ca>, emacs-devel@gnu.org
>
> Isn't it the case that such parentheses would sometimes be displayed in
> conjunction with conditional display specs., i.e. (when condition . spec)?
If the condition is false, the display spec is inactive, and the
parentheses _are_ displayed. So this is not the case I was talking
about.
> Also, I'd also expect show-paren-mode to affect parentheses having
> display properties like ‘raise' and ’height' that change the appearance
> of parentheses but do not display something else entirely.
I was talking about the so-called "replacing" display specs. Sorry
for not being clear enough.
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [Emacs-diffs] trunk r115434: * subr.el (read-passwd): Disable show-paren-mode.
2013-12-10 16:35 ` Eli Zaretskii
2013-12-10 17:51 ` Josh
@ 2013-12-11 0:03 ` Leo Liu
2013-12-11 4:19 ` Stefan Monnier
1 sibling, 1 reply; 14+ messages in thread
From: Leo Liu @ 2013-12-11 0:03 UTC (permalink / raw)
To: Eli Zaretskii; +Cc: monnier, emacs-devel
On 2013-12-11 00:35 +0800, Eli Zaretskii wrote:
> Maybe you could suggest a couple of such cases, because I cannot think
> of one. We are talking about highlighting parentheses that are not
> displayed because some display property is displayed instead, right?
Like I said I have no particular preference for one way or another. But
for example if } is displayed as 'END' and show-paren-mode highlights it
I am fine.
Leo
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [Emacs-diffs] trunk r115434: * subr.el (read-passwd): Disable show-paren-mode.
2013-12-11 0:03 ` Leo Liu
@ 2013-12-11 4:19 ` Stefan Monnier
0 siblings, 0 replies; 14+ messages in thread
From: Stefan Monnier @ 2013-12-11 4:19 UTC (permalink / raw)
To: Leo Liu; +Cc: Eli Zaretskii, emacs-devel
> Like I said I have no particular preference for one way or another. But
> for example if } is displayed as 'END' and show-paren-mode highlights it
> I am fine.
Good point.
Stefan
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [Emacs-diffs] trunk r115434: * subr.el (read-passwd): Disable show-paren-mode.
2013-12-10 7:52 ` martin rudalics
@ 2013-12-11 4:29 ` Stefan Monnier
2013-12-11 8:14 ` martin rudalics
0 siblings, 1 reply; 14+ messages in thread
From: Stefan Monnier @ 2013-12-11 4:29 UTC (permalink / raw)
To: martin rudalics; +Cc: Eli Zaretskii, sdl.web, emacs-devel
> IMO read-passwd should be in C and strip any extraneous
> text-properties and overlays after running all hooks.
I don't see why we should write it in C, but stripping away overlays and
text-properties would make sense. Another approach would be to replace
chars with . not just in the display but in the buffer itself and keep
the actual chars in a text property. The main property I want to
preserve is that normal editing works (tho you have to do it "blind"),
which is why the "hiding" is done in an after-change-function.
Stefan
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [Emacs-diffs] trunk r115434: * subr.el (read-passwd): Disable show-paren-mode.
2013-12-11 4:29 ` Stefan Monnier
@ 2013-12-11 8:14 ` martin rudalics
2013-12-11 15:13 ` Stefan Monnier
0 siblings, 1 reply; 14+ messages in thread
From: martin rudalics @ 2013-12-11 8:14 UTC (permalink / raw)
To: Stefan Monnier; +Cc: Eli Zaretskii, sdl.web, emacs-devel
> I don't see why we should write it in C, but stripping away overlays and
> text-properties would make sense.
In Lisp there's always a simple way to inadvertently or maliciously
reveal some text property. C wouldn't eliminate but reduce that danger.
> Another approach would be to replace
> chars with . not just in the display but in the buffer itself and keep
> the actual chars in a text property.
Sounds good but not entirely trivial to implement.
> The main property I want to
> preserve is that normal editing works (tho you have to do it "blind"),
> which is why the "hiding" is done in an after-change-function.
Which is the weak point IMO. I wouldn't like to type a password with
`after-change-functions' or any other hook running in between.
Obviously, if the text is in a (mini-)buffer there's always a way that
redisplay reveals it. In this sense `show-paren-mode' was only the tip
of the iceberg. I would like a "hide" text property which can be only
set and removed from C and overrides any other text or overlay property
specified anywhere else.
martin
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [Emacs-diffs] trunk r115434: * subr.el (read-passwd): Disable show-paren-mode.
2013-12-11 8:14 ` martin rudalics
@ 2013-12-11 15:13 ` Stefan Monnier
2013-12-11 17:55 ` martin rudalics
0 siblings, 1 reply; 14+ messages in thread
From: Stefan Monnier @ 2013-12-11 15:13 UTC (permalink / raw)
To: martin rudalics; +Cc: Eli Zaretskii, sdl.web, emacs-devel
>> I don't see why we should write it in C, but stripping away overlays and
>> text-properties would make sense.
> In Lisp there's always a simple way to inadvertently or maliciously
> reveal some text property. C wouldn't eliminate but reduce that danger.
For the "maliciously" case: this is Emacs we're talking about. Even if
implemented in C, a "malicious" intruder can place enough advices to
circumvent pretty much any such "security". So worrying about this case
is not very useful.
Second, hiding the text from display is just a "sanity" measure.
Note that there are many cases where you actually want to see the
password as you type it (it's pretty common nowadays to see password
prompts where you can click a "show password" toggle box).
Showing the paren-matches is not that terrible of a problem. We already
display the number of chars and I haven't heard anyone complain about
this "information leak".
>> Another approach would be to replace chars with . not just in the
>> display but in the buffer itself and keep the actual chars in
>> a text property.
> Sounds good but not entirely trivial to implement.
If we want it to be 100%, indeed it's not trivial, but using the new
pre-redisplay-functions it should be pretty easy to do a "good enough"
job (good enough to cover show-paren-mode, for instance).
> Which is the weak point IMO. I wouldn't like to type a password with
> `after-change-functions' or any other hook running in between.
I don't think we want to try and disable pre/post-command-hook, timers,
process filters, before/after-change-functions, and other redisplay
hooks just out of paranoia.
Stefan
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [Emacs-diffs] trunk r115434: * subr.el (read-passwd): Disable show-paren-mode.
2013-12-11 15:13 ` Stefan Monnier
@ 2013-12-11 17:55 ` martin rudalics
0 siblings, 0 replies; 14+ messages in thread
From: martin rudalics @ 2013-12-11 17:55 UTC (permalink / raw)
To: Stefan Monnier; +Cc: Eli Zaretskii, sdl.web, emacs-devel
> For the "maliciously" case: this is Emacs we're talking about. Even if
> implemented in C, a "malicious" intruder can place enough advices to
> circumvent pretty much any such "security". So worrying about this case
> is not very useful.
The malicious case would include a person demonstrating how easy it is
to bypass the Emacs protection mechanism.
> I don't think we want to try and disable pre/post-command-hook, timers,
> process filters, before/after-change-functions, and other redisplay
> hooks just out of paranoia.
IIRC we already cover other cases like undo revealing a previously typed
password as well as passwords ending up in bug reports as recently typed
characters. IMO typing passswords should be based on limited editing
facilities like yanking, self-insertion, cursor movement and deletion
commands.
martin
^ permalink raw reply [flat|nested] 14+ messages in thread
end of thread, other threads:[~2013-12-11 17:55 UTC | newest]
Thread overview: 14+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <E1Vpqlh-0007jZ-DD@vcs.savannah.gnu.org>
2013-12-10 2:36 ` [Emacs-diffs] trunk r115434: * subr.el (read-passwd): Disable show-paren-mode Stefan Monnier
2013-12-10 3:52 ` Eli Zaretskii
2013-12-10 7:52 ` martin rudalics
2013-12-11 4:29 ` Stefan Monnier
2013-12-11 8:14 ` martin rudalics
2013-12-11 15:13 ` Stefan Monnier
2013-12-11 17:55 ` martin rudalics
[not found] ` <<83siu1xszu.fsf@gnu.org>
2013-12-10 3:59 ` Drew Adams
2013-12-10 4:12 ` Leo Liu
2013-12-10 16:35 ` Eli Zaretskii
2013-12-10 17:51 ` Josh
2013-12-10 18:17 ` Eli Zaretskii
2013-12-11 0:03 ` Leo Liu
2013-12-11 4:19 ` Stefan Monnier
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).