From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED.blaine.gmane.org!not-for-mail From: Michael Mauger via "Bug reports for GNU Emacs, the Swiss army knife of text editors" Newsgroups: gmane.emacs.bugs Subject: bug#8427: [SECURITY] sql.el -- comint process passwords are leaked to ps(1) listing Date: Sat, 02 Nov 2019 19:41:44 +0000 Message-ID: References: <-DPnoQRPO3mztTMZP0CLEkVHEueQfRbf1NL2NMBa_alnqjzctP5kLNyD-Gd_yioQqTu-QiEXfLGzidBeSrX0jY_-tlyrBEnMU5Mo5febRng=@protonmail.com> Reply-To: Michael Mauger , Michael Mauger Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Injection-Info: blaine.gmane.org; posting-host="blaine.gmane.org:195.159.176.226"; logging-data="26483"; mail-complaints-to="usenet@blaine.gmane.org" Cc: "8427\\@debbugs.gnu.org" <8427@debbugs.gnu.org>, Stefan Kangas To: Andrew Hyatt Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Sat Nov 02 20:42:22 2019 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([209.51.188.17]) by blaine.gmane.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1iQzHw-0006kJ-BQ for geb-bug-gnu-emacs@m.gmane.org; Sat, 02 Nov 2019 20:42:20 +0100 Original-Received: from localhost ([::1]:50254 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iQzHv-0008CP-3w for geb-bug-gnu-emacs@m.gmane.org; Sat, 02 Nov 2019 15:42:19 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:34645) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iQzHg-00089Y-EG for bug-gnu-emacs@gnu.org; Sat, 02 Nov 2019 15:42:05 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1iQzHf-0000bU-7C for bug-gnu-emacs@gnu.org; Sat, 02 Nov 2019 15:42:04 -0400 Original-Received: from debbugs.gnu.org ([209.51.188.43]:52544) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1iQzHe-0000bD-Om for bug-gnu-emacs@gnu.org; Sat, 02 Nov 2019 15:42:03 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1iQzHe-0005R6-JI for bug-gnu-emacs@gnu.org; Sat, 02 Nov 2019 15:42:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Michael Mauger Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sat, 02 Nov 2019 19:42:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 8427 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security Original-Received: via spool by 8427-submit@debbugs.gnu.org id=B8427.157272371920883 (code B ref 8427); Sat, 02 Nov 2019 19:42:02 +0000 Original-Received: (at 8427) by debbugs.gnu.org; 2 Nov 2019 19:41:59 +0000 Original-Received: from localhost ([127.0.0.1]:33132 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iQzHa-0005Ql-VF for submit@debbugs.gnu.org; Sat, 02 Nov 2019 15:41:59 -0400 Original-Received: from mail4.protonmail.ch ([185.70.40.27]:19682) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iQzHX-0005QV-N7 for 8427@debbugs.gnu.org; Sat, 02 Nov 2019 15:41:57 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=default; t=1572723708; bh=UPMUa+l6JAQj3z9TBzDtP/Z79t0hQbfbUMnPMPe9J2k=; h=Date:To:From:Cc:Reply-To:Subject:In-Reply-To:References: Feedback-ID:From; b=RGl+vsNTdz2C46WqxnSkiTXDX8bH7kUih+fhhCUOoABZBHuDsEF/KLu4DAfb1d7tT FCcCloHPgVFiXoFul6I6GOpAM7pA1OVx+9xQJ9DM+JFEsuBQ14JJhaLBTDSXFTIxUc 5j7fjgirjKO2pF/JiQ8HCS1lMwMoIMsPC8zZz+1w= In-Reply-To: Feedback-ID: b6CpL0MxcIA6fpHRkn3ZHzWS0Hoqxbtv_SrHfEzC9D85cLvnRsVk4rKaAOJUw48iy20W0W1VX4whjBYFluIX0w==:Ext:ProtonMail X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 209.51.188.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.org gmane.emacs.bugs:170845 Archived-At: On Saturday, November 2, 2019 1:10 AM, Andrew Hyatt wrot= e: > Michael Mauger mmauger@protonmail.com writes: > > > On Sunday, October 20, 2019 8:56 PM, Andrew Hyatt ahyatt@gmail.com wrot= e: > > > > Your advice is good, but following it led me to some complexity I can't > seem to get away from. Perhaps you have some insight, so let me explain. > The issue is that, yes, I can not advise the comint function. However, > if I supply my own function, then I have to remove the > comint-watch-for-password-prompt, supply my own function, then restore > it when the user has entered their password (so it can handle subsequent > password entries). This juggling of the normal > comint-watch-for-password-prompt method, plus the fact that we basically > have to reimplement part of it, gives me pause - I think it's probably > too hacky a solution. > > There's a few ways out. We could introduce a variable used in > sql-product-alist that tells SQL not to prompt for a password because > the db will just get it via the comint password function. That would > probably work well, but it wouldn't store the sql-password at all, that > variable would be unused. Maybe that's OK, maybe not - I don't have a > good sense for it. > > Or, we could make this auto-password-supplying per-buffer a part of > comint itself. That would widen the scope of the fix, but it would > probably be the best of both functionality and simplicity. > > What do you think? > I totally understand the complexity, but I don't think it has too be too complicated to address. First the sql.el only solution: If the sql-comint function decides to pass the password via stdin then it can set a buffer-local flag indicating this and then replace `coming-watch-for-password-prompt' on the `comint-output-filter-functions' list with the sql version of the function. The sql password function would be something along the lines of: ;; TOTALLY NOT TESTED (defun sql-watch-for-password-prompt (string) "blah blah ;)" (if sql-will-prompt-for-password ;; (based on comint-watch-for-password-prompt) vvv (when (let ((case-fold-search t)) (string-match (or (sql-get-product-feature sql-product 'p= assword-prompt-regexp string) comint-password-prompt-regexp))) (when (string-match "^[ \n\r\t\v\f\b\a]+" string) (setq string (replace-match "" t t string))) (let ((comint--prompt-recursion-depth (1+ comint--prompt-recurs= ion-depth))) (if (> comint--prompt-recursion-depth 10) (message "Password prompt recursion too deep") ;;; ^^^ ;;; automagically provide the password (let ((proc (get-buffer-process (current-buffer)))) (when proc (funcall comint-input-sender proc sql-password)))))) ;; Back to default behavior (comint-watch-for-password-prompt string)) ;; Make sure we don't supply again (setq-local sql-will-prompt-password nil)) That should get you close without too much difficulty. Of course, it requir= es a that a password-prompt-regexp feature is defined for the sql product and th= at the sql-comint function defines a buffer-local flag `sql-will-prompt-for-passwo= rd' in it is deferring to stdin. The other solution would involve modifying comint to call a hook if set to = supply a password or nil. This would probably be a simpler change but may get more broader attention. When the hook function is not set or returns nil then do= the default behavior of calling `comint-send-invisible' otherwise just send the= password There are some edge cases here, but this hopefully helps. Also, obviously, = test cases are needed given that if this breaks, we break the sql interactive world! -- MICHAEL@MAUGER.COM // FSF and EFF member // GNU Emacs sql.el maintainer