GNU bug report logs - #17839
24.4.50; read-passwd echoes password input in non-interactive sessions

Previous Next

Package: emacs;

Reported by: Sebastian Wiesner <swiesner <at> lunaryorn.com>

Date: Mon, 23 Jun 2014 15:37:02 UTC

Severity: normal

Found in version 24.4.50

Fixed in version 24.4

Done: Glenn Morris <rgm <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

Message #17 received at 17839 <at> debbugs.gnu.org (full text, mbox):

From: Sebastian Wiesner <swiesner <at> lunaryorn.com>
To: Glenn Morris <rgm <at> gnu.org>
Cc: Andreas Schwab <schwab <at> suse.de>, 17839 <at> debbugs.gnu.org
Subject: Re: bug#17839: 24.4.50;
 read-passwd echoes password input in non-interactive sessions
Date: Wed, 25 Jun 2014 00:55:53 +0200

Am 24.06.2014 um 20:41 schrieb Glenn Morris <rgm <at> gnu.org>:

> Sebastian Wiesner wrote:
> 
>>> Batch mode isn't designed for interaction. It uses standard I/O,
>>> oblivious to who is consuming the input.
>> 
>> In this case `read-passwd' should at least signal an error when called
>> in non-interactive mode,
> 
> I think that would be overkill.

I think that `read-passwd’ is a special case, because it *leaks a secret* when used in non-interactive mode, and the fact that it does is not immediately obvious.  To learn this *in advance*, that is, before actually using this function in non-interactive code, one has to conclude from some rather abstract descriptions of Emacs’ behavior in the Emacs manual.

>> Currently it is simply insecure in non-interactive mode, and neither
>> its docstring nor the Emacs Lisp manual document that the password is
>> exposed when called in non-interactive mode.
> 
> It's in the manual section on minibuffer input, and in batch mode there
> is no minibuffer. For example, read-file-name doesn't offer completion
> in batch-mode. It doesn't provide history. ctrl-k doesn't work. Etc.
> I see no point in mentioning these things in the doc-string of every
> function that uses the mini buffer.

There is a difference, I think.  Completion, history, C-k, etc. are not crucial for entering a file name, but hiding input is absolutely crucial to entering a password securely.  I can perfectly enter a file name without history or completion, but I cannot securely enter a password if it is shown during input.  

So `read-file-name’ works in non-interactive mode, albeit less conveniently, but `read-passwd’ arguably does not.

Pointing out that non-interactive mode isn’t designed for interaction is right, probably, but misses the point imho.

Besides, “non-interactive” is a little vague.  It’s obvious that `--batch’ is non-interactive, but is `--script’ as well?  In other languages, e.g. Python or Perl, scripts regularly do interaction, including reading passwords.

I think it’s only natural that Emacs users will try to do the same in Emacs Lisp, encouraged by the existence of `--script’, so they’ll sooner or later hit this issue.
This bug report was last modified 10 years and 295 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.