bug#8427: [SECURITY] sql.el -- comint process passwords are leaked to ps(1) listing

[Andrew Hyatt]

Hi Michael,

I'm happy to merge this in.  I have FSF paperwork done and already have commit access.

However, I agree with you about pushing logic into comint.  As I mentioned before, it would help simplify the logic here.  It might be best to not check this in and see what an alternate solution might be first, based on comint.  I can work on that soon and get a patch out in the next week or so.

On Mon, Dec 16, 2019 at 10:12 AM Michael Mauger <mmauger@protonmail.com> wrote:

-------- Original Message --------
On Dec 15, 2019, 11:59 PM, Andrew Hyatt < ahyatt@gmail.com> wrote:
> Any input on this?  I believe this fixes the issue, and would prefer to
> revise this while I still remember the details.  I'm happy to submit this
> as well.

>> On Mon, Nov 11, 2019 at 12:31 AM Andrew Hyatt <ahyatt@gmail.com> wrote:

>> I've simplified an implementation along the lines you suggest, and
>> tested it via ert. I'm attaching the latest version of the patch.
>> Please let me know what you think.

I apologise for not getting back to you sooner-- a new job and the holidays have consumed much of my time. My initial look at your latest patch raised some concerns but I haven't done any deeper look yet. I'll try to take a look in the next week or so. If you don't hear back from me after the new year, then let's merge it and we'll address the issues from there. (I know I mentioned this before but I don't remember the status-- do you have your copyright paperwork all set for Emacs contributions?)

I think my thought was that it may make sense to push some of this back onto comint rather than a convoluted sql-only solution, but that may require some more negotiation. As I looked at it, using a comint hook might serve auth services as well.

Sorry about the silence, you have not been forgotten just buried in end-of-year turmoil :)

--
MICHAEL@MAUGER.COM // FSF and EFF member // GNU Emacs sql.el maintainer