New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

`stack upload` reveals your password as you type it on MSYS2 #3142

Closed
RyanGlScott opened this Issue Apr 26, 2017 · 0 comments

Comments

Projects
None yet
1 participant
@RyanGlScott
Contributor

RyanGlScott commented Apr 26, 2017

General summary/comments (optional)

When running stack upload on a MinTTY-based shell (such as Cygwin or MSYS2) on Windows, it will echo your password! I recently fixed similar bugs in cabal-install and haskeline.

The reason this happens is because hGetEcho/hSetEcho (which stack uses here) doesn't work properly in MinTTY, ultimately stemming from the fact that MinTTY interacts poorly with isatty(). The workaround I adopted in my echo (which I incorporated into cabal-install and haskeline) library is to use the stty shell utility to disable/enable echoing when running in MinTTY, and to use hGetEcho/hSetEcho otherwise. I think the technique should work in stack as well.

Steps to reproduce

Simply run stack upload <some-tarball>.tar.gz, and observe what happens when you type in your password.

Expected

I would expect input echoing to be disabled when typing in the password prompt.

Actual

Hackage username: me
Hackage password: hunter2

Ack! Now everyone watching my screen knows that my password is hunter2 :(

Stack version

Version 1.4.1, Git revision 45e2ba52a08b235ef1a6421e73bbbe7255014796 (4759 commits) x86_64
Compiled with:
- Cabal-1.24.2.0
- Glob-0.7.14
- HUnit-1.6.0.0
- MonadRandom-0.5.1
- QuickCheck-2.9.2
- SHA-1.6.4.2
- StateVar-1.1.0.4
- Win32-2.3.1.1
- Win32-notify-0.3.0.1
- aeson-1.2.0.0
- aeson-compat-0.3.6
- annotated-wl-pprint-0.7.0
- ansi-terminal-0.6.2.3
- ansi-wl-pprint-0.6.7.3
- array-0.5.1.1
- asn1-encoding-0.9.5
- asn1-parse-0.9.4
- asn1-types-0.3.2
- async-2.1.1.1
- attoparsec-0.13.1.0
- attoparsec-iso8601-1.0.0.0
- auto-update-0.1.4
- base-4.9.1.0
- base-compat-0.9.3
- base-orphans-0.6
- base16-bytestring-0.1.1.6
- base64-bytestring-1.0.0.1
- bifunctors-5.4.2
- binary-0.8.3.0
- binary-tagged-0.1.4.2
- bitarray-0.0.1.1
- blaze-builder-0.4.0.2
- blaze-html-0.9.0.1
- blaze-markup-0.8.0.0
- byteable-0.1.1
- bytestring-0.10.8.1
- call-stack-0.1.0
- case-insensitive-1.2.0.9
- cereal-0.5.4.0
- clock-0.7.2
- comonad-5.0.1
- conduit-1.2.10
- conduit-extra-1.1.15
- connection-0.2.8
- constraints-0.9.1
- containers-0.5.7.1
- contravariant-1.4
- cookie-0.4.2.1
- cryptohash-0.11.9
- cryptohash-sha256-0.11.100.1
- cryptonite-0.23
- cryptonite-conduit-0.2.0
- data-default-class-0.1.2.0
- deepseq-1.4.2.0
- digest-0.0.1.2
- directory-1.3.0.0
- distributive-0.5.2
- dlist-0.8.0.2
- easy-file-0.2.1
- ed25519-0.0.5.0
- either-4.4.1.1
- errors-2.2.0
- exceptions-0.8.3
- extra-1.5.2
- fail-4.9.0.0
- fast-logger-2.4.10
- file-embed-0.0.10
- filelock-0.1.0.1
- filepath-1.4.1.1
- foundation-0.0.8
- free-4.12.4
- fsnotify-0.2.1
- generic-deriving-1.11.2
- generics-sop-0.2.5.0
- ghc-boot-th-8.0.2
- ghc-prim-0.5.0.0
- gitrev-1.3.1
- hackage-security-0.5.2.2
- hashable-1.2.6.0
- hastache-0.6.1
- hourglass-0.2.10
- hpack-0.17.0
- hpc-0.6.0.3
- hspec-2.4.3
- hspec-core-2.4.3
- hspec-discover-2.4.3
- hspec-expectations-0.8.2
- hspec-smallcheck-0.4.2
- http-api-data-0.3.7
- http-client-0.5.6.1
- http-client-tls-0.3.4.1
- http-conduit-2.2.3.1
- http-types-0.9.1
- ieee754-0.8.0
- integer-gmp-1.0.0.1
- integer-logarithms-1.0.1
- lifted-async-0.9.1.1
- lifted-base-0.2.3.10
- logict-0.6.0.2
- memory-0.14.5
- microlens-0.4.8.0
- microlens-mtl-0.1.10.0
- microlens-th-0.4.1.1
- mime-types-0.1.0.7
- mmorph-1.0.9
- monad-control-1.0.1.0
- monad-logger-0.3.22
- monad-loops-0.4.3
- monad-unlift-0.2.0
- mono-traversable-1.0.2
- mtl-2.2.1
- nats-1.1.1
- network-2.6.3.1
- network-uri-2.6.1.0
- old-locale-1.0.0.7
- old-time-1.1.0.3
- open-browser-0.2.1.0
- optparse-applicative-0.13.2.0
- optparse-simple-0.0.3
- parsec-3.1.11
- path-0.5.13
- path-io-1.2.2
- path-pieces-0.2.1
- pem-0.2.2
- persistent-2.7.0
- persistent-sqlite-2.6.2
- persistent-template-2.5.2
- prelude-extras-0.4.0.3
- pretty-1.1.3.3
- primitive-0.6.2.0
- process-1.4.3.0
- profunctors-5.2
- project-template-0.2.0
- quickcheck-io-0.1.4
- random-1.1
- regex-applicative-0.3.3
- regex-applicative-text-0.1.0.1
- resource-pool-0.2.3.2
- resourcet-1.1.9
- retry-0.7.4.2
- rts-1.0
- safe-0.3.14
- safe-exceptions-0.1.5.0
- scientific-0.3.4.12
- semigroupoids-5.2
- semigroups-0.18.3
- setenv-0.1.1.3
- silently-1.2.5
- smallcheck-1.1.1
- socks-0.5.5
- split-0.2.3.1
- stm-2.4.4.1
- stm-chans-3.0.0.4
- store-0.4.2
- store-core-0.4
- streaming-commons-0.1.17
- syb-0.7
- tagged-0.8.5
- tar-0.5.0.3
- template-haskell-2.11.1.0
- temporary-1.2.0.4
- text-1.2.2.1
- text-binary-0.2.1.1
- text-metrics-0.2.0
- tf-random-0.5
- th-expand-syns-0.4.3.0
- th-lift-0.7.7
- th-lift-instances-0.1.11
- th-orphans-0.13.3
- th-reify-many-0.1.6
- th-utilities-0.2.0.1
- time-1.6.0.1
- time-locale-compat-0.1.1.3
- tls-1.3.10
- transformers-0.5.2.0
- transformers-base-0.4.4
- transformers-compat-0.5.1.4
- unexceptionalio-0.3.0
- unicode-transforms-0.3.0
- unix-compat-0.4.3.1
- unordered-containers-0.2.8.0
- uri-bytestring-0.2.3.1
- uuid-types-1.0.3
- vector-0.12.0.1
- vector-algorithms-0.7.0.1
- vector-binary-instances-0.2.3.5
- void-0.7.2
- x509-1.6.5
- x509-store-1.6.2
- x509-system-1.6.4
- x509-validation-1.6.5
- yaml-0.8.22
- zip-archive-0.3.0.6
- zlib-0.6.1.2

Method of installation

From the GitHub repo.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment