[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
silly security hole
From: |
Joe Corneli |
Subject: |
silly security hole |
Date: |
Thu, 08 Apr 2004 21:15:15 -0500 |
OK, I'm not sure it is fair to call this a bug, because it is so silly
and also so obvious.
But I suppose even silly things can potentially cause problems.
If I log in to a remote machine and then report an emacs bug, what comes across
in the "recent input" field is something like this:
Recent input:
M-x s h e l l <return> s s h SPC - l SPC u s e r n a m e
SPC f o o . b a r . b a z <return> p a s s w o r d <return>
M-x r e p o r t - e m a c s - b u g <return>
For this to actually cause harm, you need to have a *real* ninny and
a highly observant haxor get together.
In a strictly whitehat mode, I cursorily checked the archives of the
list to see whether this had come up before; I believe that it has.
But nevertheless, I think it would be better if the message came across as
Recent input:
M-x s h e l l <return> s s h SPC - l SPC u s e r n a m e
SPC f o o . b a r . b a z <return> * * * * * * * * <return>
M-x r e p o r t - e m a c s - b u g <return>
I don't know if this level of paranoia is justified, since, after all, one
already has to count on people not to send their passwords around the internet,
so you would think that they could be trusted to edit the "recent input"
appropriately.
OTOH, it probably wouldn't be too hard to run a variant of
`comint-watch-for-password-prompt' on the recent entry fields just
in case (and also lossage).
And *on that note*, wouldn't it be better to have
`comint-watch-for-password-prompt' turned on *by default*?
Compare
http://mail.gnu.org/archive/html/bug-gnu-emacs/2002-06/msg00437.html
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- silly security hole,
Joe Corneli <=