From: Noam Postavsky <npostavs@gmail.com>
To: Stefan Monnier <monnier@IRO.UMontreal.CA>
Cc: 30190@debbugs.gnu.org, Tino Calancha <tino.calancha@gmail.com>
Subject: bug#30190: 27.0.50; term run in line mode shows user passwords
Date: Wed, 18 Jul 2018 20:02:12 -0400 [thread overview]
Message-ID: <87zhyo6qkb.fsf@gmail.com> (raw)
In-Reply-To: <jwvva9c64va.fsf-monnier+emacs@gnu.org> (Stefan Monnier's message of "Wed, 18 Jul 2018 10:24:14 -0400")
[-- Attachment #1: Type: text/plain, Size: 2299 bytes --]
Stefan Monnier <monnier@IRO.UMontreal.CA> writes:
> Couldn't help send you some nitpicks, tho,
Thanks for reviewing :)
>> @@ -2288,7 +2289,8 @@ term-send-invisible
>> \\[view-lossage]."
>> (interactive "P") ; Defeat snooping via C-x esc
>> (when (not (stringp str))
>> - (setq str (term-read-noecho "Non-echoed text: " t)))
>> + (let ((read-hide-char ?*))
>> + (setq str (read-passwd "Non-echoed text: "))))
>> (when (not proc)
>> (setq proc (get-buffer-process (current-buffer))))
>> (if (not proc) (error "Current buffer has no process")
>
> Why do we need to bind `read-hide-char` here?
> More specifically, shouldn't `read-passwd` do that for us (hence if it
> doesn't yet, then the right patch is to add this let-binding to
> `read-passwd`)?
Tino mentioned "*" being more visible than ".", but poking at this a bit
more, I notice that term-read-noecho uses "*", so I guess that was the
original motivation. I've dropped the read-hide-char binding, I think
it probably doesn't matter much either way.
Another thing I noticed is that read-passwd doesn't have the
view-lossage leak that term-read-noecho has, so I've removed that note
from the docstring.
>> +(defun term-watch-for-password-prompt (string)
>> + "Prompt in the minibuffer for password and send without echoing.
>> +This function uses `term-send-invisible' to read and send a password to the buffer's
>> +process if STRING contains a password prompt defined by
>> +`comint-password-prompt-regexp'."
> I don't see any reason to document in the docstring what internal
> mechanism is used
Makes sense, I've trimmed the docstring.
>> @@ -3152,6 +3165,9 @@ term-emulate-terminal
>> (term-handle-deferred-scroll))
>>
>> (set-marker (process-mark proc) (point))
>> + (when (stringp decoded-substring)
>> + (term-watch-for-password-prompt (prog1 decoded-substring
>> + (setq decoded-substring nil))))
>
> I suggest you add a comment explaining why we set decoded-substring to nil.
Ah, I carefully wrote a comment explaining why I did that, and then I
realized it was wrong. There's not actually any need for it (I had got
a bit mixed up and thought we might loop around and prompt twice, but
this call is already after the loop).
[-- Attachment #2: patch --]
[-- Type: text/plain, Size: 2917 bytes --]
From 429082a5e14abefb503d39390044b92cd2328462 Mon Sep 17 00:00:00 2001
From: Tino Calancha <tino.calancha@gmail.com>
Date: Thu, 15 Feb 2018 09:09:50 +0900
Subject: [PATCH v4] Prevent line-mode term from showing user passwords
For buffers whose mode derive from comint-mode, the user password is
read from the minibuffer and it's hidden. A buffer in term-mode and
line submode, instead shows the passwords. Make buffers in line
term-mode to hide passwords too (Bug#30190).
* lisp/term.el (term-send-invisible): Prefer the more robust
`read-passwd' instead of `term-read-noecho'.
(term-watch-for-password-prompt): New function.
(term-emulate-terminal): Call it each time we receive non-escape
sequence output.
Co-authored-by: Noam Postavsky <npostavs@gmail.com>
---
lisp/term.el | 19 +++++++++++++++----
1 file changed, 15 insertions(+), 4 deletions(-)
diff --git a/lisp/term.el b/lisp/term.el
index b7f5b0e7f2..adbc0b0d88 100644
--- a/lisp/term.el
+++ b/lisp/term.el
@@ -347,6 +347,7 @@ term-protocol-version
(eval-when-compile (require 'cl-lib))
(require 'ring)
(require 'ehelp)
+(require 'comint) ; Password regexp.
(declare-function ring-empty-p "ring" (ring))
(declare-function ring-ref "ring" (ring index))
@@ -2283,12 +2284,10 @@ term-read-noecho
(defun term-send-invisible (str &optional proc)
"Read a string without echoing.
Then send it to the process running in the current buffer. A new-line
-is additionally sent. String is not saved on term input history list.
-Security bug: your string can still be temporarily recovered with
-\\[view-lossage]."
+is additionally sent. String is not saved on term input history list."
(interactive "P") ; Defeat snooping via C-x esc
(when (not (stringp str))
- (setq str (term-read-noecho "Non-echoed text: " t)))
+ (setq str (read-passwd "Non-echoed text: ")))
(when (not proc)
(setq proc (get-buffer-process (current-buffer))))
(if (not proc) (error "Current buffer has no process")
@@ -2297,6 +2296,16 @@ term-send-invisible
(term-send-string proc str)
(term-send-string proc "\n")))
+;; TODO: Maybe combine this with `comint-watch-for-password-prompt'.
+(defun term-watch-for-password-prompt (string)
+ "Prompt in the minibuffer for password and send without echoing.
+Checks if STRING contains a password prompt as defined by
+`comint-password-prompt-regexp'."
+ (when (term-in-line-mode)
+ (when (let ((case-fold-search t))
+ (string-match comint-password-prompt-regexp string))
+ (term-send-invisible (read-passwd string)))))
+
\f
;;; Low-level process communication
@@ -3152,6 +3161,8 @@ term-emulate-terminal
(term-handle-deferred-scroll))
(set-marker (process-mark proc) (point))
+ (when (stringp decoded-substring)
+ (term-watch-for-password-prompt decoded-substring))
(when save-point
(goto-char save-point)
(set-marker save-point nil))
--
2.11.0
next prev parent reply other threads:[~2018-07-19 0:02 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-21 12:16 bug#30190: 27.0.50; term run in line mode shows user passwords Tino Calancha
2018-01-21 14:01 ` Noam Postavsky
2018-01-21 21:08 ` Tino Calancha
2018-02-03 16:15 ` Tino Calancha
2018-02-03 16:44 ` Noam Postavsky
2018-02-04 2:23 ` Tino Calancha
2018-02-04 2:29 ` Noam Postavsky
2018-02-04 3:37 ` Tino Calancha
2018-02-05 1:07 ` Richard Stallman
2018-02-03 17:08 ` Eli Zaretskii
2018-02-04 2:26 ` Tino Calancha
2018-02-04 3:40 ` Tino Calancha
2018-02-04 12:40 ` Noam Postavsky
2018-02-04 12:47 ` Tino Calancha
2018-02-15 0:09 ` Tino Calancha
2018-02-21 10:18 ` Tino Calancha
2018-02-21 17:47 ` Eli Zaretskii
2018-03-10 8:52 ` Tino Calancha
2018-03-10 10:25 ` Eli Zaretskii
2018-03-10 10:44 ` Tino Calancha
2018-03-10 12:07 ` Eli Zaretskii
2018-03-10 13:17 ` Tino Calancha
2018-03-10 15:50 ` Eli Zaretskii
2018-03-11 11:02 ` Tino Calancha
2018-03-11 17:04 ` Eli Zaretskii
2018-06-20 4:09 ` Noam Postavsky
2018-06-20 16:27 ` Eli Zaretskii
2018-06-20 23:28 ` Noam Postavsky
2018-06-21 1:31 ` Tino Calancha
2018-06-21 2:44 ` Eli Zaretskii
2018-06-21 3:07 ` Tino Calancha
2018-06-21 19:17 ` Stefan Monnier
2018-06-22 3:34 ` Tino Calancha
2018-06-22 12:44 ` Stefan Monnier
2018-07-18 11:56 ` Noam Postavsky
2018-07-18 12:32 ` Tino Calancha
2018-07-18 14:24 ` Stefan Monnier
2018-07-18 14:56 ` Tino Calancha
2018-07-18 15:54 ` Stefan Monnier
2018-07-18 23:28 ` Tino Calancha
2018-07-19 1:58 ` Stefan Monnier
2018-07-19 2:27 ` Noam Postavsky
2018-07-19 12:45 ` Stefan Monnier
2018-07-20 7:34 ` Tino Calancha
2018-07-19 0:02 ` Noam Postavsky [this message]
2018-07-19 2:00 ` Stefan Monnier
2018-07-22 18:33 ` Noam Postavsky
2018-07-22 18:44 ` Eli Zaretskii
2018-07-23 12:22 ` Noam Postavsky
2018-07-23 12:46 ` Stefan Monnier
2018-07-23 12:56 ` Tino Calancha
2018-07-24 0:28 ` Noam Postavsky
2018-07-24 2:35 ` Eli Zaretskii
2018-07-30 1:15 ` Noam Postavsky
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87zhyo6qkb.fsf@gmail.com \
--to=npostavs@gmail.com \
--cc=30190@debbugs.gnu.org \
--cc=monnier@IRO.UMontreal.CA \
--cc=tino.calancha@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/emacs.git
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.