-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Plaintext passwords / PIN exposed via rofi cache history file #25
Comments
Just stumbled upon this issue. EDIT: maybe having a symlink or hardlink from EDIT: It works QUICK FIX: let |
Hi, Yeah that is not great. If I understand I don't see any trace of The question is then, why does it write entries to disk for you two? I might have one suspicion on what it might be. But I need more information to be able to reproduce this. Would anyone of you mind answering the following questions? What version of rofi? What version of guile? What version of gnupg? Or are you using something else? Is the password/PIN visible when typing it in? Thanks |
1.7.5
3.0.9
according to
No OS: NixOS |
Could it be that you are using the I did some more code spelunking and the rofi entry cache history was added after the I can reproduce the behavior by using Build it from source: $ guix shell --pure -D rofi meson ninja pkg-config gcc-toolchain -- meson setup build
$ guix shell --pure -D rofi meson ninja pkg-config gcc-toolchain -- meson compile -C build Then I ran:
Typed in Then I ran:
Typed in And the resulting history file is:
I would expect it to just capture Running the same with Please report this issue to the |
could you provide me with a/the commit of the upstream it still works on? i cant figure out where i have to look |
I'm using the 1.7.5 tag: https://github.com/davatorium/rofi/tree/1.7.5 |
opened an upstream issue. Is confirmed by the developer. davatorium/rofi#1995 I think this should be left open until it is patched in upstream and on a realease. Such that people will find it |
Sounds good. I'll leave this open until this is patched upstream. |
Yes, in effect I'm using the Wayland forked version of This is the |
Ok, it seems that they track the upstream rofi repository. Once the fix lands in |
In testing this
rofi
plugin, I noticed that whatever is entered into the "secure" password entry inrofi
gets directly written to disk in plaintext.This appears due to
rofi
's default behavior to write textbox input history to:$XDG_CACHE_HOME/rofi-entry-history.txt
(default:~/.cache/rofi-entry-history.txt
).This may be possible to avoid by using
-cache-dir /dev/null
, but it's unclear how to tell the wrapper script/usr/bin/pinentry-rofi
to pass this when it runsrofi
.The text was updated successfully, but these errors were encountered: