GNU bug report logs - #5664
view-lossage may show passwords and sensitive information

Previous Next

Package: emacs;

Reported by: Andreas Roehler <andreas.roehler <at> online.de>

Date: Mon, 1 Mar 2010 08:17:02 UTC

Severity: normal

Done: Michael Albinus <michael.albinus <at> gmx.de>

Bug is archived. No further changes may be made.

Full log

Message #22 received at 5664 <at> debbugs.gnu.org (full text, mbox):

From: Andreas Roehler <andreas.roehler <at> online.de>
To: Stefan Monnier <monnier <at> iro.umontreal.ca>
Cc: Chong Yidong <cyd <at> stupidchicken.com>, 5664 <at> debbugs.gnu.org
Subject: Re: bug#5664: 23.1.92; view-lossage
Date: Sat, 06 Mar 2010 22:50:30 +0100

Stefan Monnier wrote:
>> However, think there is a bug though.  If Emacs is able to display the
>> prompt delivered, it should adapt its behavior independently from the
>> regexp already customized.
> 
> Emacs has no idea that the string it receives from the underlying
> process is a prompt for a password. 

Hhm, the shell itself seems to know. So if the shell knows, Emacs questions the shell, it should be
possible collect info from there.

 All it knows is that the subprocess
> sent some text to display to the user.  And then no more text comes
> in; and then the user types something so it's sent to the subprocess;
> ... this is exactly the same interaction as for any other text than
> a password.
> 
> Maybe in some cases, the subprocess sets up the tty in a particular way
> while it's reading the password.  I don't know enough about ttys to know
> if that could be used and if so how, but it might be worth looking into.
> 
> 
>         Stefan
> 

Thanks,

would consider it useful, to leave the bug open for remembering.
As the OP reported, risks exist, which are avoidable IMO.

Andreas
This bug report was last modified 11 years and 120 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.