GNU bug report logs -
#49289
28.0.50; auth-source-search may return doubly obfuscated :secret value
Previous Next
Reported by: Kazuhiro Ito <kzhr <at> d1.dion.ne.jp>
Date: Wed, 30 Jun 2021 10:19:01 UTC
Severity: normal
Found in version 28.0.50
Fixed in version 28.1
Done: Lars Ingebrigtsen <larsi <at> gnus.org>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 49289 in the body.
You can then email your comments to 49289 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-gnu-emacs <at> gnu.org
:
bug#49289
; Package
emacs
.
(Wed, 30 Jun 2021 10:19:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Kazuhiro Ito <kzhr <at> d1.dion.ne.jp>
:
New bug report received and forwarded. Copy sent to
bug-gnu-emacs <at> gnu.org
.
(Wed, 30 Jun 2021 10:19:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
When I have ~/.authinfo entry of 'mail.example.com' for user 'foo' but
not user 'bar',
~/.authinfo
machine mail.example.com login foo password abcdef
for user other than 'foo', auth-source-search returns a function which
returns a function which returns a string.
(progn
(require 'auth-source)
(list
(funcall
(plist-get
(car (auth-source-search
:host "mail.example.com" :user "foo"
:require '(:secret) :create t))
:secret))
(funcall
(funcall
;; *** funcall called twice. ***
(plist-get
(car (auth-source-search
:host "mail.example.com" :user "bar"
:require '(:secret) :create t))
:secret)))))
-> ("abcdef" "abcdef")
I don't know whether auth-source supports multiple accounts on the
same host and whether it is a feature that auth-source-search tend to
return other user's password. But I think doubly obfuscated :secret
value is obviously a bug.
--
Kazuhiro Ito
Information forwarded
to
bug-gnu-emacs <at> gnu.org
:
bug#49289
; Package
emacs
.
(Wed, 30 Jun 2021 12:29:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 49289 <at> debbugs.gnu.org (full text, mbox):
Kazuhiro Ito <kzhr <at> d1.dion.ne.jp> writes:
> I don't know whether auth-source supports multiple accounts on the
> same host and whether it is a feature that auth-source-search tend to
> return other user's password. But I think doubly obfuscated :secret
> value is obviously a bug.
I think both things are bugs, and the second happens because of the
first bug. I've now pushed a fix for this to Emacs 28.
--
(domestic pets only, the antidote for overdose, milk.)
bloggy blog: http://lars.ingebrigtsen.no
bug marked as fixed in version 28.1, send any further explanations to
49289 <at> debbugs.gnu.org and Kazuhiro Ito <kzhr <at> d1.dion.ne.jp>
Request was from
Lars Ingebrigtsen <larsi <at> gnus.org>
to
control <at> debbugs.gnu.org
.
(Wed, 30 Jun 2021 12:29:02 GMT)
Full text and
rfc822 format available.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org
.
(Thu, 29 Jul 2021 11:24:07 GMT)
Full text and
rfc822 format available.
This bug report was last modified 2 years and 270 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.