When running stack upload on a MinTTY-based shell (such as Cygwin or MSYS2) on Windows, it will echo your password! I recently fixed similar bugs in cabal-install and haskeline.
The reason this happens is because hGetEcho/hSetEcho (which stack uses here) doesn't work properly in MinTTY, ultimately stemming from the fact that MinTTY interacts poorly with isatty(). The workaround I adopted in my echo (which I incorporated into cabal-install and haskeline) library is to use the stty shell utility to disable/enable echoing when running in MinTTY, and to use hGetEcho/hSetEcho otherwise. I think the technique should work in stack as well.
Steps to reproduce
Simply run stack upload <some-tarball>.tar.gz, and observe what happens when you type in your password.
Expected
I would expect input echoing to be disabled when typing in the password prompt.
Actual
Hackage username: me
Hackage password: hunter2
Ack! Now everyone watching my screen knows that my password is hunter2 :(
General summary/comments (optional)
When running
stack upload
on a MinTTY-based shell (such as Cygwin or MSYS2) on Windows, it will echo your password! I recently fixed similar bugs incabal-install
andhaskeline
.The reason this happens is because
hGetEcho
/hSetEcho
(whichstack
uses here) doesn't work properly in MinTTY, ultimately stemming from the fact that MinTTY interacts poorly withisatty()
. The workaround I adopted in myecho
(which I incorporated intocabal-install
andhaskeline
) library is to use thestty
shell utility to disable/enable echoing when running in MinTTY, and to usehGetEcho
/hSetEcho
otherwise. I think the technique should work instack
as well.Steps to reproduce
Simply run
stack upload <some-tarball>.tar.gz
, and observe what happens when you type in your password.Expected
I would expect input echoing to be disabled when typing in the password prompt.
Actual
Ack! Now everyone watching my screen knows that my password is
hunter2
:(Stack version
Method of installation
From the GitHub repo.
The text was updated successfully, but these errors were encountered: