GNU bug report logs - #49289
28.0.50; auth-source-search may return doubly obfuscated :secret value

Previous Next

Package: emacs;

Reported by: Kazuhiro Ito <kzhr <at> d1.dion.ne.jp>

Date: Wed, 30 Jun 2021 10:19:01 UTC

Severity: normal

Found in version 28.0.50

Fixed in version 28.1

Done: Lars Ingebrigtsen <larsi <at> gnus.org>

Bug is archived. No further changes may be made.

Full log

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Kazuhiro Ito <kzhr <at> d1.dion.ne.jp>
To: bug-gnu-emacs <at> gnu.org
Subject: 28.0.50; auth-source-search may return doubly obfuscated :secret value
Date: Wed, 30 Jun 2021 19:18:37 +0900

When I have ~/.authinfo entry of 'mail.example.com' for user 'foo' but
not user 'bar',

~/.authinfo
machine mail.example.com login foo password abcdef

for user other than 'foo', auth-source-search returns a function which
returns a function which returns a string.

(progn
  (require 'auth-source)
  (list
   (funcall
    (plist-get
     (car (auth-source-search
	   :host "mail.example.com" :user "foo"
	   :require '(:secret) :create t))
     :secret))
   (funcall
    (funcall
     ;; *** funcall called twice. ***
     (plist-get
      (car (auth-source-search
	    :host "mail.example.com" :user "bar"
	    :require '(:secret) :create t))
      :secret)))))

-> ("abcdef" "abcdef")

I don't know whether auth-source supports multiple accounts on the
same host and whether it is a feature that auth-source-search tend to
return other user's password.  But I think doubly obfuscated :secret
value is obviously a bug.

-- 
Kazuhiro Ito
This bug report was last modified 1 year and 31 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.