GNU bug report logs - #30186
27.0.50; Password is not hidden in read-passwd

Previous Next

Package: emacs;

Reported by: Juri Linkov <juri <at> linkov.net>

Date: Sat, 20 Jan 2018 21:40:02 UTC

Severity: normal

Found in version 27.0.50

Done: Alan Mackenzie <acm <at> muc.de>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Juri Linkov <juri <at> linkov.net>
Subject: bug#30186: closed (Re: bug#30186: 27.0.50; Password is not hidden
 in read-passwd)
Date: Sat, 27 Jan 2018 22:19:02 +0000

[Message part 1 (text/plain, inline)]
Your bug report

#30186: 27.0.50; Password is not hidden in read-passwd

which was filed against the emacs package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 30186 <at> debbugs.gnu.org.

-- 
30186: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=30186
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]
From: Alan Mackenzie <acm <at> muc.de>
To: Eli Zaretskii <eliz <at> gnu.org>, Juri Linkov <juri <at> linkov.net>
Cc: 30186-done <at> debbugs.gnu.org
Subject: Re: bug#30186: 27.0.50; Password is not hidden in read-passwd
Date: Sat, 27 Jan 2018 22:10:06 +0000

Hello, Eli and Juri.

On Sat, Jan 27, 2018 at 23:43:34 +0200, Juri Linkov wrote:
> >> So let's do that now.  I think the problem with read-passwd is a
> >> security issue, so it should go to emacs-26, do you agree?

> > Yes, i think it should go into emacs-26.

> > Juri, do you see any problem with just removing that
> > with-silent-modifications altogether?  I.e. this:

> I agree that removing with-silent-modifications would be
> the best fix.  Thanks for taking care of this.

Thanks.  I've made this change and committed it to the emacs-26 branch.

I'm closing the bug with this post.

-- 
Alan Mackenzie (Nuremberg, Germany).


[Message part 3 (message/rfc822, inline)]
From: Juri Linkov <juri <at> linkov.net>
To: bug-gnu-emacs <at> gnu.org
Subject: 27.0.50; Password is not hidden in read-passwd
Date: Sat, 20 Jan 2018 23:29:35 +0200

This is a regression and a security flaw.

Reading a password with ‘read-passwd’ doesn't hide inserted characters
anymore as it used to do in older versions.

When the user has such customization:

  (custom-set-variables
   '(yank-excluded-properties t))

evaluating

  (read-passwd "Prompt: ")

and yanking a password to the minibuffer with 'C-y' doesn't hide it
as it did in Emacs 25.

This can be traced down to ‘remove-yank-excluded-properties’
where ‘set-text-properties’ used to leave ‘display’ properties
(with ‘.’ over inserted characters) in the minibuffer.
This bug report was last modified 7 years and 171 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.