bug-gnu-emacs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#17839: 24.4.50; read-passwd echoes password input in non-interactive


From: Sebastian Wiesner
Subject: bug#17839: 24.4.50; read-passwd echoes password input in non-interactive sessions
Date: Wed, 25 Jun 2014 00:55:53 +0200

Am 24.06.2014 um 20:41 schrieb Glenn Morris <rgm@gnu.org>:

> Sebastian Wiesner wrote:
> 
>>> Batch mode isn't designed for interaction. It uses standard I/O,
>>> oblivious to who is consuming the input.
>> 
>> In this case `read-passwd' should at least signal an error when called
>> in non-interactive mode,
> 
> I think that would be overkill.

I think that `read-passwd’ is a special case, because it *leaks a secret* when 
used in non-interactive mode, and the fact that it does is not immediately 
obvious.  To learn this *in advance*, that is, before actually using this 
function in non-interactive code, one has to conclude from some rather abstract 
descriptions of Emacs’ behavior in the Emacs manual.

>> Currently it is simply insecure in non-interactive mode, and neither
>> its docstring nor the Emacs Lisp manual document that the password is
>> exposed when called in non-interactive mode.
> 
> It's in the manual section on minibuffer input, and in batch mode there
> is no minibuffer. For example, read-file-name doesn't offer completion
> in batch-mode. It doesn't provide history. ctrl-k doesn't work. Etc.
> I see no point in mentioning these things in the doc-string of every
> function that uses the mini buffer.

There is a difference, I think.  Completion, history, C-k, etc. are not crucial 
for entering a file name, but hiding input is absolutely crucial to entering a 
password securely.  I can perfectly enter a file name without history or 
completion, but I cannot securely enter a password if it is shown during input. 
 

So `read-file-name’ works in non-interactive mode, albeit less conveniently, 
but `read-passwd’ arguably does not.

Pointing out that non-interactive mode isn’t designed for interaction is right, 
probably, but misses the point imho.

Besides, “non-interactive” is a little vague.  It’s obvious that `--batch’ is 
non-interactive, but is `--script’ as well?  In other languages, e.g. Python or 
Perl, scripts regularly do interaction, including reading passwords.

I think it’s only natural that Emacs users will try to do the same in Emacs 
Lisp, encouraged by the existence of `--script’, so they’ll sooner or later hit 
this issue.




reply via email to

[Prev in Thread] Current Thread [Next in Thread]