GNU bug report logs - #17839
24.4.50; read-passwd echoes password input in non-interactive sessions

Previous Next

Package: emacs;

Reported by: Sebastian Wiesner <swiesner <at> lunaryorn.com>

Date: Mon, 23 Jun 2014 15:37:02 UTC

Severity: normal

Found in version 24.4.50

Fixed in version 24.4

Done: Glenn Morris <rgm <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

Message #11 received at 17839 <at> debbugs.gnu.org (full text, mbox):

From: Sebastian Wiesner <swiesner <at> lunaryorn.com>
To: Andreas Schwab <schwab <at> suse.de>
Cc: 17839 <at> debbugs.gnu.org
Subject: Re: bug#17839: 24.4.50;
 read-passwd echoes password input in non-interactive sessions
Date: Mon, 23 Jun 2014 18:52:34 +0200

Am 23.06.2014 um 17:46 schrieb Andreas Schwab <schwab <at> suse.de>:

> Sebastian Wiesner <swiesner <at> lunaryorn.com> writes:
> 
>> In a non-interactive session, i.e. "emacs -Q --batch …", `read-passwd'
>> currently echoes the password input on the TTY.
> 
> Batch mode isn't designed for interaction. It uses standard I/O,
> oblivious to who is consuming the input.

In this case `read-passwd’ should at least signal an error when called in non-interactive mode, and have a warning in its doctoring.  

Currently it is simply insecure in non-interactive mode, and neither its docstring nor the Emacs Lisp manual document that the password is exposed when called in non-interactive mode.

This bug report was last modified 10 years and 295 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.

GNU bug report logs - #17839 24.4.50; read-passwd echoes password input in non-interactive sessions

GNU bug report logs - #17839
24.4.50; read-passwd echoes password input in non-interactive sessions