Re: [Emacs-diffs] trunk r115434: * subr.el (read-passwd): Disable show-paren-mode.

[Stefan Monnier]

>> I don't see why we should write it in C, but stripping away overlays and
>> text-properties would make sense.
> In Lisp there's always a simple way to inadvertently or maliciously
> reveal some text property.  C wouldn't eliminate but reduce that danger.

For the "maliciously" case: this is Emacs we're talking about.  Even if
implemented in C, a "malicious" intruder can place enough advices to
circumvent pretty much any such "security".  So worrying about this case
is not very useful.

Second, hiding the text from display is just a "sanity" measure.
Note that there are many cases where you actually want to see the
password as you type it (it's pretty common nowadays to see password
prompts where you can click a "show password" toggle box).

Showing the paren-matches is not that terrible of a problem.  We already
display the number of chars and I haven't heard anyone complain about
this "information leak".

>> Another approach would be to replace chars with . not just in the
>> display but in the buffer itself and keep the actual chars in
>> a text property.
> Sounds good but not entirely trivial to implement.

If we want it to be 100%, indeed it's not trivial, but using the new
pre-redisplay-functions it should be pretty easy to do a "good enough"
job (good enough to cover show-paren-mode, for instance).

> Which is the weak point IMO.  I wouldn't like to type a password with
> `after-change-functions' or any other hook running in between.

I don't think we want to try and disable pre/post-command-hook, timers,
process filters, before/after-change-functions, and other redisplay
hooks just out of paranoia.


        Stefan