GNU bug report logs - #36154
read-passwd allows copying typed in password to kill-ring

Previous Next

Package: emacs;

Reported by: Ahmet BASTUG <bastugn <at> itu.edu.tr>

Date: Sun, 9 Jun 2019 20:56:01 UTC

Severity: minor

Tags: security, wontfix

Found in version 26.2

Done: Lars Ingebrigtsen <larsi <at> gnus.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Lars Ingebrigtsen <larsi <at> gnus.org>
To: Ahmet BASTUG <bastugn <at> itu.edu.tr>
Cc: 36154 <at> debbugs.gnu.org
Subject: bug#36154: 26.2; read-passwd function creates a security issue
Date: Thu, 10 Oct 2019 01:25:59 +0200

Ahmet BASTUG <bastugn <at> itu.edu.tr> writes:

> read-passwd function which is located in "subr.el" causes kind of a
> security issue. When function is used, user is prompted with a promt
> and everything user typed is displayed as '.' characters. If any kind
> of kill operation is performed on the prompt minibuffer, real value is 
> saved into kill-ring. Then you can yank it anywhere you want. I'm not
> sure this is meant this way but I think not.

I think it makes sense to allow users to do this -- this is something
that should be up to them whether to do or not.  So I'm closing this bug
report.  If anybody disagrees with this, please feel free to reopen.

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no

This bug report was last modified 5 years and 227 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.

GNU bug report logs - #36154 read-passwd allows copying typed in password to kill-ring

GNU bug report logs - #36154
read-passwd allows copying typed in password to kill-ring