silly security hole

[Joe Corneli]

OK, I'm not sure it is fair to call this a bug, because it is so silly
and also so obvious.

But I suppose even silly things can potentially cause problems.

If I log in to a remote machine and then report an emacs bug, what comes across
in the "recent input" field is something like this:

Recent input:
M-x s h e l l <return> s s h SPC - l SPC u s e r n a m e 
SPC f o o . b a r . b a z <return> p a s s w o r d <return> 
M-x r e p o r t - e m a c s - b u g <return>

For this to actually cause harm, you need to have a *real* ninny and
a highly observant haxor get together. 

In a strictly whitehat mode, I cursorily checked the archives of the
list to see whether this had come up before; I believe that it has.

But nevertheless, I think it would be better if the message came across as

Recent input:
M-x s h e l l <return> s s h SPC - l SPC u s e r n a m e 
SPC f o o . b a r . b a z <return> * * * * * * * * <return>
M-x r e p o r t - e m a c s - b u g <return>

I don't know if this level of paranoia is justified, since, after all, one
already has to count on people not to send their passwords around the internet,
so you would think that they could be trusted to edit the "recent input"
appropriately.

OTOH, it probably wouldn't be too hard to run a variant of
`comint-watch-for-password-prompt' on the recent entry fields just
in case (and also lossage).

And *on that note*, wouldn't it be better to have
`comint-watch-for-password-prompt' turned on *by default*?

Compare

 http://mail.gnu.org/archive/html/bug-gnu-emacs/2002-06/msg00437.html