read --silent is storing passwords in plaintext in history

[mdenzel]

Hello guys,

it seems that fish is storing plaintext passwords when using read --silent to read them in. This makes password prompts a security hazard.

It has already been fixed according to #6438 and #5904 (also #838, #1504) but does not seem to work as expected:

> set | grep fish_private
fish_private_mode
> fish --private
Welcome to fish, the friendly interactive shell.
fish is running in private mode, history will not be persisted.
> set | grep fish_private
fish_private_mode 1
> read --silent password
read> ●●●●●●●●●●●●●●●●
> mysecretpassword
(simply by pressing the "up" arrowkey; it also shows up in the 'history' command)

Attackers could just dump passwords from fish's history.

Systeminfo:

> echo $TERM
xterm-256color
> uname -r
5.7.10-201.fc32.x86_64
> fish --version
fish, version 3.1.2

[faho]

The read history is no longer stored on disk. It is still kept in memory, but at that point you have bigger problems.

[ridiculousfish]

Reopening this - I can reproduce in --private mode only. The password is not written to disk in any scenario, but probably it ought not to be returned by history either.

[ridiculousfish]

Thanks for filing, good find!