lynx-dev
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

lynx-dev passwords should not be saved - quasi-patch


From: Klaus Weide
Subject: lynx-dev passwords should not be saved - quasi-patch
Date: Tue, 24 Aug 1999 05:19:19 -0500 (CDT)

It is possible to recover hidden input that was entered at a password
prompt and make it visible (with TAB on the next input prompt).  This
should not be possible.  I am talking about prompts where lynx
masks the input with '*' characters.  Although probably few users share
the same lynx session with others, making such input visible (possibly
by accident) is Bad.  It also makes the CLEAR_AUTH ('_') key command a
bit pointless.

Note 1, this does _not_ apply to form fields (INPUT TYPE="password"),
only to non-formfield line editing.  Form field input never gets saved
in a 'closet' for later TAB completion.

Note 2, if you really really want to save input typed in a hidden input
for later line-editing manipulation, that is still possible by using
KILLREG and YANK from the Bash-Like Bindings.  Since this requires
specific user action and can hardly happen by accident, it's ok
(a feature, in my opinion).

Further question: should CLEAR_AUTH clear all saved (with LYAddToCloset)
input?

Trivial fix (untested, but very obvious): in LYStrings.c, function
LYgetstr, in

        case LYE_ENTER:
            /*
             *  Terminate the string and return.
             */
            strcpy(inputline, MyEdit.buffer);
            LYAddToCloset(MyEdit.buffer);
            return(ch);

insert
            if (!hidden)
before the
            LYAddToCloset(MyEdit.buffer);

(There is another LYAddToCloset call earlier in the same function.
That one could be protected in a similar way, but it shouldn't matter -
'hidden' and 'recall' should never be true at the same time.)


    Klaus


reply via email to

[Prev in Thread] Current Thread [Next in Thread]