Obfuscate auth-source secrets more

* lisp/auth-source.el (auth-source-netrc-normalize): Obfuscate passwords stored in the lexical closure (bug#37196).
author: Lars Ingebrigtsen 2019-09-20 21:25:47 +0200
committer: Lars Ingebrigtsen 2019-09-20 22:10:52 +0200
commit: a420f13155b71b68b964a51ff326ccdf441c2811 (patch)
tree: f4b1b4825ce725ba032053a5c2c9e35bb204bf79
parent: 6d50010b34dbbcb90a7b4512f97e07fd8beceea5 (diff)
download: emacs-a420f13155b71b68b964a51ff326ccdf441c2811.tar.gz
emacs-a420f13155b71b68b964a51ff326ccdf441c2811.zip
1 files changed, 12 insertions, 6 deletions
diff --git a/lisp/auth-source.el b/lisp/auth-source.el
index 7d8657da110..83ed90a87f2 100644
--- a/lisp/auth-source.el
+++ b/lisp/auth-source.el
@@ -1132,11 +1132,15 @@ FILE is the file from which we obtained this token."
                                ((member k '("password")) "secret")
                                (t k)))
-                  ;; send back the secret in a function (lexical binding)
+                  ;; Send back the secret in a function (lexical
+                  ;; binding).  We slightly obfuscate the passwords
+                  ;; (that's the "(mapcar #+' ..)" stuff) to avoid
+                  ;; showing the passwords in clear text in backtraces
+                  ;; and the like.
                  (when (equal k "secret")
-                    (setq v (let ((lexv v)
+                    (setq v (let ((lexv (mapcar #'1+ v))
                                  (token-decoder nil))
-                              (when (string-match "^gpg:" lexv)
+                              (when (string-match "^gpg:" v)
                                ;; it's a GPG token: create a token decoder
                                ;; which unsets itself once
                                (setq token-decoder
@@ -1147,9 +1151,11 @@ FILE is the file from which we obtained this token."
                                             filename)
                                          (setq token-decoder nil)))))
                              (lambda ()
-                                (when token-decoder
+                                (if token-decoder
-                                  (setq lexv (funcall token-decoder lexv)))
+                                    (funcall token-decoder
-                                lexv))))
+                                             (apply #'string
+                                                    (mapcar #'1- lexv)))
+                                  (apply #'string (mapcar #'1- lexv)))))))
                  (setq ret (plist-put ret
                                       (auth-source--symbol-keyword k)
                                       v))))
author	Lars Ingebrigtsen	2019-09-20 21:25:47 +0200
committer	Lars Ingebrigtsen	2019-09-20 22:10:52 +0200
commit	a420f13155b71b68b964a51ff326ccdf441c2811 (patch)
tree	f4b1b4825ce725ba032053a5c2c9e35bb204bf79
parent	6d50010b34dbbcb90a7b4512f97e07fd8beceea5 (diff)
download	emacs-a420f13155b71b68b964a51ff326ccdf441c2811.tar.gz emacs-a420f13155b71b68b964a51ff326ccdf441c2811.zip