[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
lynx-dev passwords should not be saved - quasi-patch
From: |
Klaus Weide |
Subject: |
lynx-dev passwords should not be saved - quasi-patch |
Date: |
Tue, 24 Aug 1999 05:19:19 -0500 (CDT) |
It is possible to recover hidden input that was entered at a password
prompt and make it visible (with TAB on the next input prompt). This
should not be possible. I am talking about prompts where lynx
masks the input with '*' characters. Although probably few users share
the same lynx session with others, making such input visible (possibly
by accident) is Bad. It also makes the CLEAR_AUTH ('_') key command a
bit pointless.
Note 1, this does _not_ apply to form fields (INPUT TYPE="password"),
only to non-formfield line editing. Form field input never gets saved
in a 'closet' for later TAB completion.
Note 2, if you really really want to save input typed in a hidden input
for later line-editing manipulation, that is still possible by using
KILLREG and YANK from the Bash-Like Bindings. Since this requires
specific user action and can hardly happen by accident, it's ok
(a feature, in my opinion).
Further question: should CLEAR_AUTH clear all saved (with LYAddToCloset)
input?
Trivial fix (untested, but very obvious): in LYStrings.c, function
LYgetstr, in
case LYE_ENTER:
/*
* Terminate the string and return.
*/
strcpy(inputline, MyEdit.buffer);
LYAddToCloset(MyEdit.buffer);
return(ch);
insert
if (!hidden)
before the
LYAddToCloset(MyEdit.buffer);
(There is another LYAddToCloset call earlier in the same function.
That one could be protected in a similar way, but it shouldn't matter -
'hidden' and 'recall' should never be true at the same time.)
Klaus
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- lynx-dev passwords should not be saved - quasi-patch,
Klaus Weide <=