/stack

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

`stack upload` reveals your password as you type it on MSYS2 #3142

Closed
RyanGlScott opened this Issue Apr 26, 2017 · 0 comments

Comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
1 participant
@RyanGlScott
@RyanGlScott
Contributor

RyanGlScott commented Apr 26, 2017

General summary/comments (optional)

When running stack upload on a MinTTY-based shell (such as Cygwin or MSYS2) on Windows, it will echo your password! I recently fixed similar bugs in cabal-install and haskeline.

The reason this happens is because hGetEcho/hSetEcho (which stack uses here) doesn't work properly in MinTTY, ultimately stemming from the fact that MinTTY interacts poorly with isatty(). The workaround I adopted in my echo (which I incorporated into cabal-install and haskeline) library is to use the stty shell utility to disable/enable echoing when running in MinTTY, and to use hGetEcho/hSetEcho otherwise. I think the technique should work in stack as well.

Steps to reproduce

Simply run stack upload <some-tarball>.tar.gz, and observe what happens when you type in your password.

Expected

I would expect input echoing to be disabled when typing in the password prompt.

Actual

Hackage username: me
Hackage password: hunter2

Ack! Now everyone watching my screen knows that my password is hunter2 :(

Stack version

Version 1.4.1, Git revision 45e2ba52a08b235ef1a6421e73bbbe7255014796 (4759 commits) x86_64
Compiled with:
- Cabal-1.24.2.0
- Glob-0.7.14
- HUnit-1.6.0.0
- MonadRandom-0.5.1
- QuickCheck-2.9.2
- SHA-1.6.4.2
- StateVar-1.1.0.4
- Win32-2.3.1.1
- Win32-notify-0.3.0.1
- aeson-1.2.0.0
- aeson-compat-0.3.6
- annotated-wl-pprint-0.7.0
- ansi-terminal-0.6.2.3
- ansi-wl-pprint-0.6.7.3
- array-0.5.1.1
- asn1-encoding-0.9.5
- asn1-parse-0.9.4
- asn1-types-0.3.2
- async-2.1.1.1
- attoparsec-0.13.1.0
- attoparsec-iso8601-1.0.0.0
- auto-update-0.1.4
- base-4.9.1.0
- base-compat-0.9.3
- base-orphans-0.6
- base16-bytestring-0.1.1.6
- base64-bytestring-1.0.0.1
- bifunctors-5.4.2
- binary-0.8.3.0
- binary-tagged-0.1.4.2
- bitarray-0.0.1.1
- blaze-builder-0.4.0.2
- blaze-html-0.9.0.1
- blaze-markup-0.8.0.0
- byteable-0.1.1
- bytestring-0.10.8.1
- call-stack-0.1.0
- case-insensitive-1.2.0.9
- cereal-0.5.4.0
- clock-0.7.2
- comonad-5.0.1
- conduit-1.2.10
- conduit-extra-1.1.15
- connection-0.2.8
- constraints-0.9.1
- containers-0.5.7.1
- contravariant-1.4
- cookie-0.4.2.1
- cryptohash-0.11.9
- cryptohash-sha256-0.11.100.1
- cryptonite-0.23
- cryptonite-conduit-0.2.0
- data-default-class-0.1.2.0
- deepseq-1.4.2.0
- digest-0.0.1.2
- directory-1.3.0.0
- distributive-0.5.2
- dlist-0.8.0.2
- easy-file-0.2.1
- ed25519-0.0.5.0
- either-4.4.1.1
- errors-2.2.0
- exceptions-0.8.3
- extra-1.5.2
- fail-4.9.0.0
- fast-logger-2.4.10
- file-embed-0.0.10
- filelock-0.1.0.1
- filepath-1.4.1.1
- foundation-0.0.8
- free-4.12.4
- fsnotify-0.2.1
- generic-deriving-1.11.2
- generics-sop-0.2.5.0
- ghc-boot-th-8.0.2
- ghc-prim-0.5.0.0
- gitrev-1.3.1
- hackage-security-0.5.2.2
- hashable-1.2.6.0
- hastache-0.6.1
- hourglass-0.2.10
- hpack-0.17.0
- hpc-0.6.0.3
- hspec-2.4.3
- hspec-core-2.4.3
- hspec-discover-2.4.3
- hspec-expectations-0.8.2
- hspec-smallcheck-0.4.2
- http-api-data-0.3.7
- http-client-0.5.6.1
- http-client-tls-0.3.4.1
- http-conduit-2.2.3.1
- http-types-0.9.1
- ieee754-0.8.0
- integer-gmp-1.0.0.1
- integer-logarithms-1.0.1
- lifted-async-0.9.1.1
- lifted-base-0.2.3.10
- logict-0.6.0.2
- memory-0.14.5
- microlens-0.4.8.0
- microlens-mtl-0.1.10.0
- microlens-th-0.4.1.1
- mime-types-0.1.0.7
- mmorph-1.0.9
- monad-control-1.0.1.0
- monad-logger-0.3.22
- monad-loops-0.4.3
- monad-unlift-0.2.0
- mono-traversable-1.0.2
- mtl-2.2.1
- nats-1.1.1
- network-2.6.3.1
- network-uri-2.6.1.0
- old-locale-1.0.0.7
- old-time-1.1.0.3
- open-browser-0.2.1.0
- optparse-applicative-0.13.2.0
- optparse-simple-0.0.3
- parsec-3.1.11
- path-0.5.13
- path-io-1.2.2
- path-pieces-0.2.1
- pem-0.2.2
- persistent-2.7.0
- persistent-sqlite-2.6.2
- persistent-template-2.5.2
- prelude-extras-0.4.0.3
- pretty-1.1.3.3
- primitive-0.6.2.0
- process-1.4.3.0
- profunctors-5.2
- project-template-0.2.0
- quickcheck-io-0.1.4
- random-1.1
- regex-applicative-0.3.3
- regex-applicative-text-0.1.0.1
- resource-pool-0.2.3.2
- resourcet-1.1.9
- retry-0.7.4.2
- rts-1.0
- safe-0.3.14
- safe-exceptions-0.1.5.0
- scientific-0.3.4.12
- semigroupoids-5.2
- semigroups-0.18.3
- setenv-0.1.1.3
- silently-1.2.5
- smallcheck-1.1.1
- socks-0.5.5
- split-0.2.3.1
- stm-2.4.4.1
- stm-chans-3.0.0.4
- store-0.4.2
- store-core-0.4
- streaming-commons-0.1.17
- syb-0.7
- tagged-0.8.5
- tar-0.5.0.3
- template-haskell-2.11.1.0
- temporary-1.2.0.4
- text-1.2.2.1
- text-binary-0.2.1.1
- text-metrics-0.2.0
- tf-random-0.5
- th-expand-syns-0.4.3.0
- th-lift-0.7.7
- th-lift-instances-0.1.11
- th-orphans-0.13.3
- th-reify-many-0.1.6
- th-utilities-0.2.0.1
- time-1.6.0.1
- time-locale-compat-0.1.1.3
- tls-1.3.10
- transformers-0.5.2.0
- transformers-base-0.4.4
- transformers-compat-0.5.1.4
- unexceptionalio-0.3.0
- unicode-transforms-0.3.0
- unix-compat-0.4.3.1
- unordered-containers-0.2.8.0
- uri-bytestring-0.2.3.1
- uuid-types-1.0.3
- vector-0.12.0.1
- vector-algorithms-0.7.0.1
- vector-binary-instances-0.2.3.5
- void-0.7.2
- x509-1.6.5
- x509-store-1.6.2
- x509-system-1.6.4
- x509-validation-1.6.5
- yaml-0.8.22
- zip-archive-0.3.0.6
- zlib-0.6.1.2

Method of installation

From the GitHub repo.

@RyanGlScott RyanGlScott referenced this issue Apr 26, 2017

Merged

Suppress password echoing from stack upload on MinTTY consoles #3143

@Blaisorblade Blaisorblade closed this in #3143 May 22, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment