GNU bug report logs - #49289
28.0.50; auth-source-search may return doubly obfuscated :secret value

Previous Next

Package: emacs;

Reported by: Kazuhiro Ito <kzhr <at> d1.dion.ne.jp>

Date: Wed, 30 Jun 2021 10:19:01 UTC

Severity: normal

Found in version 28.0.50

Fixed in version 28.1

Done: Lars Ingebrigtsen <larsi <at> gnus.org>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 49289 in the body.
You can then email your comments to 49289 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to bug-gnu-emacs <at> gnu.org:
bug#49289; Package emacs. (Wed, 30 Jun 2021 10:19:02 GMT) Full text and rfc822 format available.
Acknowledgement sent to Kazuhiro Ito <kzhr <at> d1.dion.ne.jp>:
New bug report received and forwarded. Copy sent to bug-gnu-emacs <at> gnu.org. (Wed, 30 Jun 2021 10:19:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Kazuhiro Ito <kzhr <at> d1.dion.ne.jp>
To: bug-gnu-emacs <at> gnu.org
Subject: 28.0.50; auth-source-search may return doubly obfuscated :secret value
Date: Wed, 30 Jun 2021 19:18:37 +0900

When I have ~/.authinfo entry of 'mail.example.com' for user 'foo' but
not user 'bar',

~/.authinfo
machine mail.example.com login foo password abcdef

for user other than 'foo', auth-source-search returns a function which
returns a function which returns a string.

(progn
  (require 'auth-source)
  (list
   (funcall
    (plist-get
     (car (auth-source-search
	   :host "mail.example.com" :user "foo"
	   :require '(:secret) :create t))
     :secret))
   (funcall
    (funcall
     ;; *** funcall called twice. ***
     (plist-get
      (car (auth-source-search
	    :host "mail.example.com" :user "bar"
	    :require '(:secret) :create t))
      :secret)))))

-> ("abcdef" "abcdef")

I don't know whether auth-source supports multiple accounts on the
same host and whether it is a feature that auth-source-search tend to
return other user's password.  But I think doubly obfuscated :secret
value is obviously a bug.

-- 
Kazuhiro Ito
Information forwarded to bug-gnu-emacs <at> gnu.org:
bug#49289; Package emacs. (Wed, 30 Jun 2021 12:29:02 GMT) Full text and rfc822 format available.

Message #8 received at 49289 <at> debbugs.gnu.org (full text, mbox):

From: Lars Ingebrigtsen <larsi <at> gnus.org>
To: Kazuhiro Ito <kzhr <at> d1.dion.ne.jp>
Cc: 49289 <at> debbugs.gnu.org
Subject: Re: bug#49289: 28.0.50; auth-source-search may return doubly
 obfuscated :secret value
Date: Wed, 30 Jun 2021 14:28:34 +0200

Kazuhiro Ito <kzhr <at> d1.dion.ne.jp> writes:

> I don't know whether auth-source supports multiple accounts on the
> same host and whether it is a feature that auth-source-search tend to
> return other user's password.  But I think doubly obfuscated :secret
> value is obviously a bug.

I think both things are bugs, and the second happens because of the
first bug.  I've now pushed a fix for this to Emacs 28.

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no
bug marked as fixed in version 28.1, send any further explanations to 49289 <at> debbugs.gnu.org and Kazuhiro Ito <kzhr <at> d1.dion.ne.jp> Request was from Lars Ingebrigtsen <larsi <at> gnus.org> to control <at> debbugs.gnu.org. (Wed, 30 Jun 2021 12:29:02 GMT) Full text and rfc822 format available.
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Thu, 29 Jul 2021 11:24:07 GMT) Full text and rfc822 format available.
This bug report was last modified 2 years and 270 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.