[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#30190: 27.0.50; term run in line mode shows user passwords
|
From: |
Tino Calancha |
|
Subject: |
bug#30190: 27.0.50; term run in line mode shows user passwords |
|
Date: |
Sat, 10 Mar 2018 17:52:25 +0900 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/27.0.50 (gnu/linux) |
Eli Zaretskii <eliz@gnu.org> writes:
>> From: Tino Calancha <tino.calancha@gmail.com>
>> Cc: 30190@debbugs.gnu.org, Richard Stallman <rms@gnu.org>,
>> npostavs@users.sourceforge.net
>> Date: Wed, 21 Feb 2018 19:18:31 +0900
>>
>> If anyone can show just cause why this patch cannot lawfully be joined
>> together in Emacs-26 branch, let them speak now or forever hold their
>> peace.
Thanks for the replay, and sorry for the late response; I am quite busy
guy last 2 months (next week even more :-S ).
> You'll have to convince me that
> 1. we really cannot live with the bug until Emacs 27.
You can live with it. Many people can live with it. Indeed, this bug
has been there since the addition of this lib. several releases before.
I cannot live with it; any user using 'term.el' in line mode
should not live with it. It's a security issue and should be
taken seriously. IMO, Emacs sends the wrong message delivering a new
release with a security bug, having a simple and well understood
fix for it.
Last week one of my teachers saw my email password in my screen. He
was very serious about that, and requested me to please, _inmediately_
change my password. Ciertanly, many developers care about these kind
of issues.
>2. all of that is needed to fix the bug exposed by your recipe.
The patch is crafted so that:
* It just modifies one file, i.e. term.el.
* Don't stablishes new dependencies between comint.el and term.el.
With that in mind, you can how simple is the patch. It _just_ copy
step by step what it is done in comint.el:
term-password-prompt-regexp <--> comint-password-prompt-regexp
term-output-filter-hook <--> comint-output-filter-functions
term-watch-for-password-prompt <--> comint-watch-for-password-prompt
Run hook 'term-output-filter-hook' in 'term-input-sender' <-->
Run hook 'comint-output-filter-functions' comint-output-filter-functions
'term-send-invisible' uses `read-passwd' <--> 'send-invisible' uses
`read-passwd'
Run hook 'term-output-filter-hook' in 'term-emulate-terminal' <-->
Run hook 'comint-output-filter-functions' in 'comint-output-filter'
IMO the patch is simple, necessary and save to be included in Emacs-26.
PD: Later on, for Emacs-27 we might want to reduce code duplication
withing comint.el and term.el, for instance with the addition
of a new file.
- bug#30190: 27.0.50; term run in line mode shows user passwords,
Tino Calancha <=
- bug#30190: 27.0.50; term run in line mode shows user passwords, Eli Zaretskii, 2018/03/10
- bug#30190: 27.0.50; term run in line mode shows user passwords, Tino Calancha, 2018/03/10
- bug#30190: 27.0.50; term run in line mode shows user passwords, Eli Zaretskii, 2018/03/10
- bug#30190: 27.0.50; term run in line mode shows user passwords, Tino Calancha, 2018/03/10
- bug#30190: 27.0.50; term run in line mode shows user passwords, Eli Zaretskii, 2018/03/10
- bug#30190: 27.0.50; term run in line mode shows user passwords, Tino Calancha, 2018/03/11
- bug#30190: 27.0.50; term run in line mode shows user passwords, Eli Zaretskii, 2018/03/11