* Re: master 3df7d06: Added `comint-password-function' hook [not found] ` <20191223050617.2BA89212AC@vcs0.savannah.gnu.org> @ 2019-12-23 10:24 ` Michael Albinus 2019-12-23 14:01 ` Eli Zaretskii 0 siblings, 1 reply; 2+ messages in thread From: Michael Albinus @ 2019-12-23 10:24 UTC (permalink / raw) To: emacs-devel; +Cc: Michael R. Mauger mmaug--- via Mailing list for Emacs changes <emacs-diffs@gnu.org> writes: Hi Michael, > --- a/etc/NEWS > +++ b/etc/NEWS > @@ -1131,6 +1131,19 @@ end. > *** 'comint-run' can now accept a list of switches to pass to the program. > 'C-u M-x comint-run' will prompt for the switches interactively. > > +*** Abnormal hook `comint-password-function' has been added. > +This hook permits a derived mode to supply a password for the > +underlying command interpreter without prompting the user. For > +example, in sql-mode, the password for connecting to the database may > +be stored in the connection wallet and may be passed on the command > +line to start the SQL interpreter. This is a potential security flaw > +that could expose user's database passwords on the command line > +through the use of a process list (Bug#8427). With this hook, it is > +possible to not pass the password on the command line and wait for the > +program to prompt for the password. When it does so, the password cam > +be supplied to the SQL interpreter without involving the user just as > +if it had been supplied on the command line. Shouldn't this be documented in the manual, or at least in the docstring? etc/NEWS is not the preferred place to look for documentation, except when a new Emacs release arrives. Furthermore, we don't mention bug numbers in etc/NEWS. Best regards, Michael. ^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: master 3df7d06: Added `comint-password-function' hook 2019-12-23 10:24 ` master 3df7d06: Added `comint-password-function' hook Michael Albinus @ 2019-12-23 14:01 ` Eli Zaretskii 0 siblings, 0 replies; 2+ messages in thread From: Eli Zaretskii @ 2019-12-23 14:01 UTC (permalink / raw) To: Michael Albinus; +Cc: michael, emacs-devel > From: Michael Albinus <michael.albinus@gmx.de> > Date: Mon, 23 Dec 2019 11:24:56 +0100 > Cc: "Michael R. Mauger" <michael@mauger.com> > > > +*** Abnormal hook `comint-password-function' has been added. > > +This hook permits a derived mode to supply a password for the > > +underlying command interpreter without prompting the user. For > > +example, in sql-mode, the password for connecting to the database may > > +be stored in the connection wallet and may be passed on the command > > +line to start the SQL interpreter. This is a potential security flaw > > +that could expose user's database passwords on the command line > > +through the use of a process list (Bug#8427). With this hook, it is > > +possible to not pass the password on the command line and wait for the > > +program to prompt for the password. When it does so, the password cam > > +be supplied to the SQL interpreter without involving the user just as > > +if it had been supplied on the command line. > > Shouldn't this be documented in the manual, or at least in the > docstring? It should. > Furthermore, we don't mention bug numbers in etc/NEWS. Right. Patches with corrections are welcome. Thanks. ^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-12-23 14:01 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <20191223050615.10479.33674@vcs0.savannah.gnu.org>
[not found] ` <20191223050617.2BA89212AC@vcs0.savannah.gnu.org>
2019-12-23 10:24 ` master 3df7d06: Added `comint-password-function' hook Michael Albinus
2019-12-23 14:01 ` Eli Zaretskii
Code repositories for project(s) associated with this public inbox https://git.savannah.gnu.org/cgit/emacs.git This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).