GNU bug report logs - #30190
27.0.50; term run in line mode shows user passwords

Previous Next

Package: emacs;

Reported by: Tino Calancha <tino.calancha <at> gmail.com>

Date: Sun, 21 Jan 2018 12:17:02 UTC

Severity: normal

Tags: confirmed, fixed, security

Found in versions 27.0.50, 24.3

Fixed in version 26.2

Done: Noam Postavsky <npostavs <at> gmail.com>

Bug is archived. No further changes may be made.

Full log

Message #15 received at 30190 <at> debbugs.gnu.org (full text, mbox):

From: Tino Calancha <tino.calancha <at> gmail.com>
To: Noam Postavsky <npostavs <at> users.sourceforge.net>
Cc: 30190 <at> debbugs.gnu.org, Tino Calancha <tino.calancha <at> gmail.com>
Subject: Re: bug#30190: 27.0.50; term run in line mode shows user passwords
Date: Mon, 22 Jan 2018 06:08:26 +0900 (JST)


On Sun, 21 Jan 2018, Noam Postavsky wrote:

> Yes, seems to have been the case for a long time, I can reproduce back
> to 24.3 (oldest Emacs version I have running).
It's even worse; the password is stored in the history of commands; after 
introduce the password 'M-p' will show it.

>> * If you run the terminal in char modem then the password is not shown.
>> * If you run a dumb shell instead, then the password is read from the
>>   minibuffer with `send-invisible', thereby the password is not shown.
>
> What do you mean by "dumb shell"?
I mean this:
M-x shell RET
sudo ls
;; Here password is read (invisible) from the minibuffer. You still can
jump to the *shell* buffer and input th epasword there; in that case
the password is visible, but as longer as you input it from the minibuffer
everything is OK.
This bug report was last modified 6 years and 357 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.