m-chrzan.xyz
aboutsummaryrefslogtreecommitdiff
path: root/tests
diff options
context:
space:
mode:
authorIan Eure <ian.eure@gmail.com>2019-01-10 14:36:37 -0800
committerSvend Sorensen <svend@svends.net>2019-04-05 19:29:28 -0700
commit7aa17d099577730d2d65332896b74d5865b22abf (patch)
tree3b89db96164686ac921296a5a87846ee08c7e1c3 /tests
parentb0b784b1a57c0b06936e6f5d6560712b4b810cd3 (diff)
emacs: Supprt asynchronous pass operations which return output.
When using EXWM, if `password-store-get` is called and a pinentry program needs to be executed, Emacs deadlocks. This happens becuase Emacs blocks waiting for output from `gpg(1)`, which is blocked waiting for output from the pinentry-program, which is blocked waiting for Emacs to manage its window. This updates `password-store-copy` to work asynchronously. This should be fine, since its primary purpose is side-effecting, and it doesn’t matter when its evaluation completes. The ability to call `password-store-get` asynchronously with a callback has also been added to support this usecase. A new function has been added for general cases of async `pass` commands where the output is needed, `password-store--run-1`. While there is an existing `password-store--run-async`, it discards output -- it’s only used for `pass edit`, where it’s not needed. The body of `password-store--run` has been replacing it with one that uses `--run-1` and a wait loop which blocks until it’s complete. Supporting all this necessitated moving the file to lexical binding and dropping Emacs 24 support. The latter requirement could be worked around if there are concerns around it. **SECURITY INTERLUDE** I was unbelievably distressed to discover that the implementation of `password-store--run` redirects the decrypted file contents to disk, reads that into a buffer, then removes the file. This approach is preposterous and may warrant a CVE, as it exposes users to numerous conditions where their cleartext passwords could be recovered: - If the user hits C-g, the Emacs function may not get to the point of removing the file, leaving the password on disk. - It’s not a safe assumption that `make-temp-file` is secure, and even if it were, the time windows in play are likely to be very large, opening race conditions where the file contents can be read by an attacker before the file is removed. - Even if the file is removed, it could be recovered by examining the contents of deleted inodes. Information this sensitive should NEVER be persisted in cleartext in non-volatile storage. You may as well write it on a post-it and stick it on your monitor. re NicolasPetton/pass#25
Diffstat (limited to 'tests')
0 files changed, 0 insertions, 0 deletions