all messages for Emacs-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
* Re: [Emacs-diffs] trunk r115434: * subr.el (read-passwd): Disable show-paren-mode.
       [not found] <E1Vpqlh-0007jZ-DD@vcs.savannah.gnu.org>
@ 2013-12-10  2:36 ` Stefan Monnier
  2013-12-10  3:52   ` Eli Zaretskii
                     ` (2 more replies)
  0 siblings, 3 replies; 14+ messages in thread
From: Stefan Monnier @ 2013-12-10  2:36 UTC (permalink / raw)
  To: Leo Liu; +Cc: emacs-devel

>   * subr.el (read-passwd): Disable show-paren-mode.

Should we disable show-paren-mode's highlighting when the paren is
covered by a `display' property?


        Stefan



^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [Emacs-diffs] trunk r115434: * subr.el (read-passwd): Disable show-paren-mode.
  2013-12-10  2:36 ` [Emacs-diffs] trunk r115434: * subr.el (read-passwd): Disable show-paren-mode Stefan Monnier
@ 2013-12-10  3:52   ` Eli Zaretskii
  2013-12-10  7:52     ` martin rudalics
       [not found]   ` <<83siu1xszu.fsf@gnu.org>
  2013-12-10  4:12   ` Leo Liu
  2 siblings, 1 reply; 14+ messages in thread
From: Eli Zaretskii @ 2013-12-10  3:52 UTC (permalink / raw)
  To: Stefan Monnier; +Cc: sdl.web, emacs-devel

> From: Stefan Monnier <monnier@IRO.UMontreal.CA>
> Date: Mon, 09 Dec 2013 21:36:46 -0500
> Cc: emacs-devel@gnu.org
> 
> >   * subr.el (read-passwd): Disable show-paren-mode.
> 
> Should we disable show-paren-mode's highlighting when the paren is
> covered by a `display' property?

It's not just show-paren-mode.  It's any mode that looks at buffer
text disregarding the display properties.

For that reason, I think read-passwd should use a completely different
implementation, because otherwise it will reveal the secrets with the
next random Emacs feature.

As for your question, I believe the answer is YES, we should not
highlight parentheses covered by display properties.



^ permalink raw reply	[flat|nested] 14+ messages in thread

* RE: [Emacs-diffs] trunk r115434: * subr.el (read-passwd): Disable show-paren-mode.
       [not found]   ` <<83siu1xszu.fsf@gnu.org>
@ 2013-12-10  3:59     ` Drew Adams
  0 siblings, 0 replies; 14+ messages in thread
From: Drew Adams @ 2013-12-10  3:59 UTC (permalink / raw)
  To: Eli Zaretskii, Stefan Monnier; +Cc: sdl.web, emacs-devel

> > Should we disable show-paren-mode's highlighting when the paren is
> > covered by a `display' property?
> 
> It's not just show-paren-mode.  It's any mode that looks at buffer
> text disregarding the display properties.
> 
> For that reason, I think read-passwd should use a completely different
> implementation, because otherwise it will reveal the secrets with the
> next random Emacs feature.

Just what I was thinking (but in my case only in vague terms).



^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [Emacs-diffs] trunk r115434: * subr.el (read-passwd): Disable show-paren-mode.
  2013-12-10  2:36 ` [Emacs-diffs] trunk r115434: * subr.el (read-passwd): Disable show-paren-mode Stefan Monnier
  2013-12-10  3:52   ` Eli Zaretskii
       [not found]   ` <<83siu1xszu.fsf@gnu.org>
@ 2013-12-10  4:12   ` Leo Liu
  2013-12-10 16:35     ` Eli Zaretskii
  2 siblings, 1 reply; 14+ messages in thread
From: Leo Liu @ 2013-12-10  4:12 UTC (permalink / raw)
  To: Stefan Monnier; +Cc: emacs-devel

On 2013-12-10 10:36 +0800, Stefan Monnier wrote:
> Should we disable show-paren-mode's highlighting when the paren is
> covered by a `display' property?
>
>
>         Stefan

I have no opinion either way. read-passwd is really a special case where
emacs should reveal as little as possible. In other cases the highlight
might be helpful.

Leo



^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [Emacs-diffs] trunk r115434: * subr.el (read-passwd): Disable show-paren-mode.
  2013-12-10  3:52   ` Eli Zaretskii
@ 2013-12-10  7:52     ` martin rudalics
  2013-12-11  4:29       ` Stefan Monnier
  0 siblings, 1 reply; 14+ messages in thread
From: martin rudalics @ 2013-12-10  7:52 UTC (permalink / raw)
  To: Eli Zaretskii; +Cc: emacs-devel, Stefan Monnier, sdl.web

> For that reason, I think read-passwd should use a completely different
> implementation, because otherwise it will reveal the secrets with the
> next random Emacs feature.

IMO read-passwd should be in C and strip any extraneous
text-properties and overlays after running all hooks.

martin





^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [Emacs-diffs] trunk r115434: * subr.el (read-passwd): Disable show-paren-mode.
  2013-12-10  4:12   ` Leo Liu
@ 2013-12-10 16:35     ` Eli Zaretskii
  2013-12-10 17:51       ` Josh
  2013-12-11  0:03       ` Leo Liu
  0 siblings, 2 replies; 14+ messages in thread
From: Eli Zaretskii @ 2013-12-10 16:35 UTC (permalink / raw)
  To: Leo Liu; +Cc: monnier, emacs-devel

> From: Leo Liu <sdl.web@gmail.com>
> Date: Tue, 10 Dec 2013 12:12:35 +0800
> Cc: emacs-devel@gnu.org
> 
> On 2013-12-10 10:36 +0800, Stefan Monnier wrote:
> > Should we disable show-paren-mode's highlighting when the paren is
> > covered by a `display' property?
> >
> >
> >         Stefan
> 
> I have no opinion either way. read-passwd is really a special case where
> emacs should reveal as little as possible. In other cases the highlight
> might be helpful.

Maybe you could suggest a couple of such cases, because I cannot think
of one.  We are talking about highlighting parentheses that are not
displayed because some display property is displayed instead, right?



^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [Emacs-diffs] trunk r115434: * subr.el (read-passwd): Disable show-paren-mode.
  2013-12-10 16:35     ` Eli Zaretskii
@ 2013-12-10 17:51       ` Josh
  2013-12-10 18:17         ` Eli Zaretskii
  2013-12-11  0:03       ` Leo Liu
  1 sibling, 1 reply; 14+ messages in thread
From: Josh @ 2013-12-10 17:51 UTC (permalink / raw)
  To: Eli Zaretskii; +Cc: emacs-devel, Leo Liu, Stefan Monnier

[-- Attachment #1: Type: text/plain, Size: 1142 bytes --]

On Dec 10, 2013 8:35 AM, "Eli Zaretskii" <eliz@gnu.org> wrote:
>
> > From: Leo Liu <sdl.web@gmail.com>
> > Date: Tue, 10 Dec 2013 12:12:35 +0800
> > Cc: emacs-devel@gnu.org
> >
> > On 2013-12-10 10:36 +0800, Stefan Monnier wrote:
> > > Should we disable show-paren-mode's highlighting when the paren is
> > > covered by a `display' property?
> > >
> > >
> > >         Stefan
> >
> > I have no opinion either way. read-passwd is really a special case where
> > emacs should reveal as little as possible. In other cases the highlight
> > might be helpful.
>
> Maybe you could suggest a couple of such cases, because I cannot think
> of one.  We are talking about highlighting parentheses that are not
> displayed because some display property is displayed instead, right?

Isn't it the case that such parentheses would sometimes be displayed in
conjunction with conditional display specs., i.e. (when condition . spec)?
Also, I'd also expect show-paren-mode to affect parentheses having
display properties like ‘raise' and ’height' that change the appearance
of parentheses but do not display something else entirely.

[-- Attachment #2: Type: text/html, Size: 1535 bytes --]

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [Emacs-diffs] trunk r115434: * subr.el (read-passwd): Disable show-paren-mode.
  2013-12-10 17:51       ` Josh
@ 2013-12-10 18:17         ` Eli Zaretskii
  0 siblings, 0 replies; 14+ messages in thread
From: Eli Zaretskii @ 2013-12-10 18:17 UTC (permalink / raw)
  To: Josh; +Cc: emacs-devel, sdl.web, monnier

> Date: Tue, 10 Dec 2013 09:51:02 -0800
> From: Josh <josh@foxtail.org>
> Cc: Leo Liu <sdl.web@gmail.com>, Stefan Monnier <monnier@iro.umontreal.ca>, emacs-devel@gnu.org
> 
> Isn't it the case that such parentheses would sometimes be displayed in
> conjunction with conditional display specs., i.e. (when condition . spec)?

If the condition is false, the display spec is inactive, and the
parentheses _are_ displayed.  So this is not the case I was talking
about.

> Also, I'd also expect show-paren-mode to affect parentheses having
> display properties like ‘raise' and ’height' that change the appearance
> of parentheses but do not display something else entirely.

I was talking about the so-called "replacing" display specs.  Sorry
for not being clear enough.




^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [Emacs-diffs] trunk r115434: * subr.el (read-passwd): Disable show-paren-mode.
  2013-12-10 16:35     ` Eli Zaretskii
  2013-12-10 17:51       ` Josh
@ 2013-12-11  0:03       ` Leo Liu
  2013-12-11  4:19         ` Stefan Monnier
  1 sibling, 1 reply; 14+ messages in thread
From: Leo Liu @ 2013-12-11  0:03 UTC (permalink / raw)
  To: Eli Zaretskii; +Cc: monnier, emacs-devel

On 2013-12-11 00:35 +0800, Eli Zaretskii wrote:
> Maybe you could suggest a couple of such cases, because I cannot think
> of one.  We are talking about highlighting parentheses that are not
> displayed because some display property is displayed instead, right?

Like I said I have no particular preference for one way or another. But
for example if } is displayed as 'END' and show-paren-mode highlights it
I am fine.

Leo



^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [Emacs-diffs] trunk r115434: * subr.el (read-passwd): Disable show-paren-mode.
  2013-12-11  0:03       ` Leo Liu
@ 2013-12-11  4:19         ` Stefan Monnier
  0 siblings, 0 replies; 14+ messages in thread
From: Stefan Monnier @ 2013-12-11  4:19 UTC (permalink / raw)
  To: Leo Liu; +Cc: Eli Zaretskii, emacs-devel

> Like I said I have no particular preference for one way or another. But
> for example if } is displayed as 'END' and show-paren-mode highlights it
> I am fine.

Good point.


        Stefan



^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [Emacs-diffs] trunk r115434: * subr.el (read-passwd): Disable show-paren-mode.
  2013-12-10  7:52     ` martin rudalics
@ 2013-12-11  4:29       ` Stefan Monnier
  2013-12-11  8:14         ` martin rudalics
  0 siblings, 1 reply; 14+ messages in thread
From: Stefan Monnier @ 2013-12-11  4:29 UTC (permalink / raw)
  To: martin rudalics; +Cc: Eli Zaretskii, sdl.web, emacs-devel

> IMO read-passwd should be in C and strip any extraneous
> text-properties and overlays after running all hooks.

I don't see why we should write it in C, but stripping away overlays and
text-properties would make sense.  Another approach would be to replace
chars with . not just in the display but in the buffer itself and keep
the actual chars in a text property.  The main property I want to
preserve is that normal editing works (tho you have to do it "blind"),
which is why the "hiding" is done in an after-change-function.


        Stefan



^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [Emacs-diffs] trunk r115434: * subr.el (read-passwd): Disable show-paren-mode.
  2013-12-11  4:29       ` Stefan Monnier
@ 2013-12-11  8:14         ` martin rudalics
  2013-12-11 15:13           ` Stefan Monnier
  0 siblings, 1 reply; 14+ messages in thread
From: martin rudalics @ 2013-12-11  8:14 UTC (permalink / raw)
  To: Stefan Monnier; +Cc: Eli Zaretskii, sdl.web, emacs-devel

 > I don't see why we should write it in C, but stripping away overlays and
 > text-properties would make sense.

In Lisp there's always a simple way to inadvertently or maliciously
reveal some text property.  C wouldn't eliminate but reduce that danger.

 > Another approach would be to replace
 > chars with . not just in the display but in the buffer itself and keep
 > the actual chars in a text property.

Sounds good but not entirely trivial to implement.

 > The main property I want to
 > preserve is that normal editing works (tho you have to do it "blind"),
 > which is why the "hiding" is done in an after-change-function.

Which is the weak point IMO.  I wouldn't like to type a password with
`after-change-functions' or any other hook running in between.
Obviously, if the text is in a (mini-)buffer there's always a way that
redisplay reveals it.  In this sense `show-paren-mode' was only the tip
of the iceberg.  I would like a "hide" text property which can be only
set and removed from C and overrides any other text or overlay property
specified anywhere else.

martin



^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [Emacs-diffs] trunk r115434: * subr.el (read-passwd): Disable show-paren-mode.
  2013-12-11  8:14         ` martin rudalics
@ 2013-12-11 15:13           ` Stefan Monnier
  2013-12-11 17:55             ` martin rudalics
  0 siblings, 1 reply; 14+ messages in thread
From: Stefan Monnier @ 2013-12-11 15:13 UTC (permalink / raw)
  To: martin rudalics; +Cc: Eli Zaretskii, sdl.web, emacs-devel

>> I don't see why we should write it in C, but stripping away overlays and
>> text-properties would make sense.
> In Lisp there's always a simple way to inadvertently or maliciously
> reveal some text property.  C wouldn't eliminate but reduce that danger.

For the "maliciously" case: this is Emacs we're talking about.  Even if
implemented in C, a "malicious" intruder can place enough advices to
circumvent pretty much any such "security".  So worrying about this case
is not very useful.

Second, hiding the text from display is just a "sanity" measure.
Note that there are many cases where you actually want to see the
password as you type it (it's pretty common nowadays to see password
prompts where you can click a "show password" toggle box).

Showing the paren-matches is not that terrible of a problem.  We already
display the number of chars and I haven't heard anyone complain about
this "information leak".

>> Another approach would be to replace chars with . not just in the
>> display but in the buffer itself and keep the actual chars in
>> a text property.
> Sounds good but not entirely trivial to implement.

If we want it to be 100%, indeed it's not trivial, but using the new
pre-redisplay-functions it should be pretty easy to do a "good enough"
job (good enough to cover show-paren-mode, for instance).

> Which is the weak point IMO.  I wouldn't like to type a password with
> `after-change-functions' or any other hook running in between.

I don't think we want to try and disable pre/post-command-hook, timers,
process filters, before/after-change-functions, and other redisplay
hooks just out of paranoia.


        Stefan



^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [Emacs-diffs] trunk r115434: * subr.el (read-passwd): Disable show-paren-mode.
  2013-12-11 15:13           ` Stefan Monnier
@ 2013-12-11 17:55             ` martin rudalics
  0 siblings, 0 replies; 14+ messages in thread
From: martin rudalics @ 2013-12-11 17:55 UTC (permalink / raw)
  To: Stefan Monnier; +Cc: Eli Zaretskii, sdl.web, emacs-devel

 > For the "maliciously" case: this is Emacs we're talking about.  Even if
 > implemented in C, a "malicious" intruder can place enough advices to
 > circumvent pretty much any such "security".  So worrying about this case
 > is not very useful.

The malicious case would include a person demonstrating how easy it is
to bypass the Emacs protection mechanism.

 > I don't think we want to try and disable pre/post-command-hook, timers,
 > process filters, before/after-change-functions, and other redisplay
 > hooks just out of paranoia.

IIRC we already cover other cases like undo revealing a previously typed
password as well as passwords ending up in bug reports as recently typed
characters.  IMO typing passswords should be based on limited editing
facilities like yanking, self-insertion, cursor movement and deletion
commands.

martin



^ permalink raw reply	[flat|nested] 14+ messages in thread

end of thread, other threads:[~2013-12-11 17:55 UTC | newest]

Thread overview: 14+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <E1Vpqlh-0007jZ-DD@vcs.savannah.gnu.org>
2013-12-10  2:36 ` [Emacs-diffs] trunk r115434: * subr.el (read-passwd): Disable show-paren-mode Stefan Monnier
2013-12-10  3:52   ` Eli Zaretskii
2013-12-10  7:52     ` martin rudalics
2013-12-11  4:29       ` Stefan Monnier
2013-12-11  8:14         ` martin rudalics
2013-12-11 15:13           ` Stefan Monnier
2013-12-11 17:55             ` martin rudalics
     [not found]   ` <<83siu1xszu.fsf@gnu.org>
2013-12-10  3:59     ` Drew Adams
2013-12-10  4:12   ` Leo Liu
2013-12-10 16:35     ` Eli Zaretskii
2013-12-10 17:51       ` Josh
2013-12-10 18:17         ` Eli Zaretskii
2013-12-11  0:03       ` Leo Liu
2013-12-11  4:19         ` Stefan Monnier

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/emacs.git
	https://git.savannah.gnu.org/cgit/emacs/org-mode.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.