GNU bug report logs - #36154
read-passwd allows copying typed in password to kill-ring

Previous Next

Package: emacs;

Reported by: Ahmet BASTUG <bastugn <at> itu.edu.tr>

Date: Sun, 9 Jun 2019 20:56:01 UTC

Severity: minor

Tags: security, wontfix

Found in version 26.2

Done: Lars Ingebrigtsen <larsi <at> gnus.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Phil Sainty <psainty <at> orcon.net.nz>
To: Lars Ingebrigtsen <larsi <at> gnus.org>
Cc: Ahmet BASTUG <bastugn <at> itu.edu.tr>, 36154 <at> debbugs.gnu.org
Subject: bug#36154: 26.2; read-passwd function creates a security issue
Date: Thu, 10 Oct 2019 13:30:24 +1300

On 2019-10-10 12:25, Lars Ingebrigtsen wrote:
> I think it makes sense to allow users to do this -- this is something
> that should be up to them whether to do or not.  So I'm closing this 
> bug
> report.  If anybody disagrees with this, please feel free to reopen.

A potential solution to this would to make the low-level kill functions
respect a new `inhibit-kill-ring' variable, such that nothing would be
added to the kill ring if that was non-nil.

A user option for the password entry routine could then be added to 
control
whether or the variable was set by `read-passwd' when setting up the
minibuffer.

This facility might also have more general applicability, and perhaps
even warrant a minor mode.  I can certainly envisage `inhibit-kill-ring'
being let-bound by users for specific cases, if they consider that 
unwanted
kill ring pollution was occurring.


-Phil
This bug report was last modified 5 years and 227 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.