[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#17839: 24.4.50; read-passwd echoes password input in non-interactive
|
From: |
Sebastian Wiesner |
|
Subject: |
bug#17839: 24.4.50; read-passwd echoes password input in non-interactive sessions |
|
Date: |
Wed, 25 Jun 2014 00:55:53 +0200 |
Am 24.06.2014 um 20:41 schrieb Glenn Morris <rgm@gnu.org>:
> Sebastian Wiesner wrote:
>
>>> Batch mode isn't designed for interaction. It uses standard I/O,
>>> oblivious to who is consuming the input.
>>
>> In this case `read-passwd' should at least signal an error when called
>> in non-interactive mode,
>
> I think that would be overkill.
I think that `read-passwd’ is a special case, because it *leaks a secret* when
used in non-interactive mode, and the fact that it does is not immediately
obvious. To learn this *in advance*, that is, before actually using this
function in non-interactive code, one has to conclude from some rather abstract
descriptions of Emacs’ behavior in the Emacs manual.
>> Currently it is simply insecure in non-interactive mode, and neither
>> its docstring nor the Emacs Lisp manual document that the password is
>> exposed when called in non-interactive mode.
>
> It's in the manual section on minibuffer input, and in batch mode there
> is no minibuffer. For example, read-file-name doesn't offer completion
> in batch-mode. It doesn't provide history. ctrl-k doesn't work. Etc.
> I see no point in mentioning these things in the doc-string of every
> function that uses the mini buffer.
There is a difference, I think. Completion, history, C-k, etc. are not crucial
for entering a file name, but hiding input is absolutely crucial to entering a
password securely. I can perfectly enter a file name without history or
completion, but I cannot securely enter a password if it is shown during input.
So `read-file-name’ works in non-interactive mode, albeit less conveniently,
but `read-passwd’ arguably does not.
Pointing out that non-interactive mode isn’t designed for interaction is right,
probably, but misses the point imho.
Besides, “non-interactive” is a little vague. It’s obvious that `--batch’ is
non-interactive, but is `--script’ as well? In other languages, e.g. Python or
Perl, scripts regularly do interaction, including reading passwords.
I think it’s only natural that Emacs users will try to do the same in Emacs
Lisp, encouraged by the existence of `--script’, so they’ll sooner or later hit
this issue.
- bug#17839: 24.4.50; read-passwd echoes password input in non-interactive sessions, Sebastian Wiesner, 2014/06/23
- bug#17839: 24.4.50; read-passwd echoes password input in non-interactive sessions, Andreas Schwab, 2014/06/23
- bug#17839: 24.4.50; read-passwd echoes password input in non-interactive sessions, Sebastian Wiesner, 2014/06/23
- bug#17839: 24.4.50; read-passwd echoes password input in non-interactive sessions, Glenn Morris, 2014/06/24
- bug#17839: 24.4.50; read-passwd echoes password input in non-interactive sessions,
Sebastian Wiesner <=
- bug#17839: 24.4.50; read-passwd echoes password input in non-interactive sessions, Andreas Schwab, 2014/06/25
- bug#17839: 24.4.50; read-passwd echoes password input in non-interactive sessions, Michael Albinus, 2014/06/25
- bug#17839: 24.4.50; read-passwd echoes password input in non-interactive sessions, Andreas Schwab, 2014/06/25
- bug#17839: 24.4.50; read-passwd echoes password input in non-interactive sessions, Michael Albinus, 2014/06/25
- bug#17839: 24.4.50; read-passwd echoes password input in non-interactive sessions, Andreas Schwab, 2014/06/25
- bug#17839: 24.4.50; read-passwd echoes password input in non-interactive sessions, Michael Albinus, 2014/06/25
- bug#17839: 24.4.50; read-passwd echoes password input in non-interactive sessions, Sebastian Wiesner, 2014/06/25
- bug#17839: 24.4.50; read-passwd echoes password input in non-interactive sessions, Stefan Monnier, 2014/06/25
- bug#17839: 24.4.50; read-passwd echoes password input in non-interactive sessions, Glenn Morris, 2014/06/26