GNU bug report logs - #30190
27.0.50; term run in line mode shows user passwords

Previous Next

Package: emacs;

Reported by: Tino Calancha <tino.calancha <at> gmail.com>

Date: Sun, 21 Jan 2018 12:17:02 UTC

Severity: normal

Tags: confirmed, fixed, security

Found in versions 27.0.50, 24.3

Fixed in version 26.2

Done: Noam Postavsky <npostavs <at> gmail.com>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Noam Postavsky <npostavs <at> users.sourceforge.net>
To: Tino Calancha <tino.calancha <at> gmail.com>
Cc: 30190 <at> debbugs.gnu.org
Subject: bug#30190: 27.0.50; term run in line mode shows user passwords
Date: Sun, 21 Jan 2018 09:01:39 -0500

found 30190 24.3
tags 30190 + confirmed
quit

Tino Calancha <tino.calancha <at> gmail.com> writes:

> 1. Start a new terminal emulator in line mode.
> M-x term RET
> C-c C-j
>
> 2. run a command that prompt for user's password
>    (e.g., 'sudo ls' or 'git push'); the user password
>    visible.

Yes, seems to have been the case for a long time, I can reproduce back
to 24.3 (oldest Emacs version I have running).

> * If you run the terminal in char modem then the password is not shown.
> * If you run a dumb shell instead, then the password is read from the
>   minibuffer with `send-invisible', thereby the password is not shown.

What do you mean by "dumb shell"?
This bug report was last modified 6 years and 357 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.