GNU bug report logs -
#30190
27.0.50; term run in line mode shows user passwords
Previous Next
Reported by: Tino Calancha <tino.calancha <at> gmail.com>
Date: Sun, 21 Jan 2018 12:17:02 UTC
Severity: normal
Tags: confirmed, fixed, security
Found in versions 27.0.50, 24.3
Fixed in version 26.2
Done: Noam Postavsky <npostavs <at> gmail.com>
Bug is archived. No further changes may be made.
Full log
Message #27 received at 30190 <at> debbugs.gnu.org (full text, mbox):
On Sat, 3 Feb 2018, Noam Postavsky wrote:
> Tino Calancha <tino.calancha <at> gmail.com> writes:
>
>> Noam Postavsky <npostavs <at> users.sourceforge.net> writes:
>>
>>> Yes, seems to have been the case for a long time, I can reproduce back
>>> to 24.3 (oldest Emacs version I have running).
>> This is a security risk. I would like to have it fixed ASAP.
>> Below patch seems to work. Any feedback would be appreciated.
>
> Doesn't look like that much of a risk to me: the user immediately sees
> the problem, so it's more of a minor nuisance.
It depends of the situation. Few years ago, my boss watched my password
because this thing; if the password would be an offensive word
against him (it wasn't, he was nice) I could be fired. I remember he
mnetioned very proudly that in vi editor the password is always hidden...
This is also a risk while pair-programming; recently I am doing a lot with
several buddies. I suspect one of my passwords might be compromised.
>> -(defcustom comint-password-prompt-regexp
>
> I don't see an alias for this one. Otherwise I think it's okay.
Thanks, I will fix that.
This bug report was last modified 6 years and 357 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.