| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Per a report from Lakshay Garg <lakshayg@outlook.in>, the use of $TMPDIR
in the Vim plugin's pattern match does not work on macOS X, due to the
dynamic and symbolically-linked temporary dir structure this system
uses. Lakshay's email to me, which includes a full explanation, is
reproduced with his permission below.
This change is reflected in upstream v2.2.2:
<https://sanctum.geek.nz/cgit/vim-redact-pass.git/commit/?h=v2.2.2>
>Date: Sat, 13 Feb 2021 23:59:22 -0800
>From: Lakshay Garg <lakshayg@outlook.in>
>To: tom@sanctum.geek.nz
>Subject: [PATCH] vim: fix redact_pass.vim for macOS
>
>Hi Tom
>
>Thanks for maintaining redact_pass.vim. I came across an issue in the
>plugin a few months ago and submitted a patch for it to the
>password-store mailing list but did not get any responses. It seems
>like since only you have been maintaining that file, I might have
>better luck sending the patch to you.
>
>---
>
>Problem: redact_pass.vim did not work on macOS machines
>Fix: add resolve($TMPDIR) to the autcmd pattern list
>
>Explanation
>===========
>
>pass creates files under /private/var/<some-stuff> on macOS.
>redact_pass.vim uses the following pattern to detect when to
>enable the plugin:
>
>```
>$TMPDIR/pass.?*/?*.txt
>```
>
>This pattern expands to "/var/<some-stuff>//pass.?*/?*.txt"
>on my macbook and has two problems:
>
>1. The double forward slash in the expanded pattern (after <some-stuff>)
>2. pass uses /private/var but the pattern looks for /var
>
>Turns out, /var on macos is just a symlink to /private/var.
>The autocmd fails to trigger because it is trying to match
>the pattern: "/var/<some-stuff>//pass.?*/?*.txt"
>to filename: "/private/var/<some-stuff>/pass.<random-chars>/<random-chars>.txt"
>
>The simplest fix is to make $TMPDIR point to "/private/var/..."
>which is achieved by calling resolve on $TMPDIR prior to running
>the autocmd. This also handles the double forward-slash.
>
>Thanks again
>Lakshay
|
|
|
|
|
| |
Works around issues with some popular colorschemes in v8.1. Problem
reported and fix suggested by Jeff Weston.
|
|
|
|
|
|
|
|
|
|
| |
The "f" library is a rather thin translation layer for already
existing Emacs functions. Most functions directly map to an already
existing function (eg. "f-no-ext" and "file-name-sans-extension"). For
this reason, removing "f" comes at no cost while reducing the number
of dependencies one has to count on and the user has to install.
Co-authored-by: Tino Calancha <tino.calancha@gmail.com>
|
|
|
|
|
|
|
| |
Clarify that the optional argument is only used in the `message' call.
Bump version to v2.1.3.
* contrib/emacs/password-store.el (password-store-clear): Update docstring.
* contrib/emacs/CHANGELOG.md: Document this change.
|
|
|
|
|
|
|
|
|
|
|
| |
This change preserves backward compatibility with previous
version of the function.
Bump version to v2.1.2.
* contrib/emacs/password-store.el (password-store-clear):
Make argument FIELD optional.
* contrib/emacs/CHANGELOG.md: Announce this change.
|
|
|
|
|
|
|
|
|
| |
For auth-source-pass versions < 5.0.0, auth-source-pass-filename
is not defined; thus, we must check that this variable exists before
use it.
* contrib/emacs/password-store.el (password-store-dir): Call
bound-and-true-p on auth-source-pass-filename.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Allow users to retrieve any secret field stored in the files.
Use auth-source-pass to retrieve the secret fields.
Bump version to v2.1.0.
* contrib/emacs/Cask: Replace dependency on `s' library
with auth-source-pass dependency.
* contrib/emacs/password-store.el
(password-store-url-field): New option.
(password-store-dir): Use `auth-source-pass-filename'.
(password-store-read-field, password-store-get-field)
(password-store-copy-field, password-store-parse-entry): New functions.
(password-store-read-field): Use password-store-parse-entry.
(password-store--save-field-in-kill-ring): New function extracted from
`password-store-get'.
(password-store-url): Use `password-store-get-field' and
`password-store-url-field'.
* contrib/emacs/README.md: Update documentation.
* contrib/emacs/CHANGELOG.md: Announce changes.
|
|
|
|
|
|
|
|
|
|
|
| |
Before, the following message was shown:
"Enter contents of ENTRY and press Ctrl+D when finished:\n\n"
Since the command is not interactive, it is better to show users
specific messages on success/failure.
* contrib/emacs/password-store.el (password-store-insert):
Improve message shown on success/failure.
|
|
|
|
|
|
|
|
| |
Some libraries rely on this function, e.g. password-store-otp library.
* contrib/emacs/password-store.el (password-store-timeout):
Re include this function; now it just returns
password-store-time-before-clipboard-restore.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Using a customizable variable is the preferred way to set
a parameter within Emacs; replace password-store-timeout with
the new option password-store-time-before-clipboard-restore.
The default value for this variable uses the environment var
PASSWORD_STORE_CLIP_TIME when set; this is the same behavior
as before.
Add Maintainer header.
* contrib/emacs/password-store.el (password-store-password-length):
Increased default value from 8 to 25, i.e. same default as
in the shell script.
(password-store-time-before-clipboard-restore): New option.
(password-store-timeout): Delete it.
Use the new option instead; all callers updated.
* contrib/emacs/CHANGELOG.md: Announce the features.
|
| |
|
|
|
|
|
|
|
|
| |
Emacs backup files add a duplicate entry, that is, if you have the two files,
foo.bar and foo.bar~, then you'd get two entries for `foo'.
* password-store.el (password-store-list): Delete duplicate entries. Bump
version to 2.0.2. Update Copyright notice.
|
|
|
|
|
| |
Drop nil arguments in `password-store--run` and `password-store--run-1`. This
fixes an error running `password-store-generate`.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When using EXWM, if `password-store-get` is called and a pinentry
program needs to be executed, Emacs deadlocks. This happens becuase
Emacs blocks waiting for output from `gpg(1)`, which is blocked
waiting for output from the pinentry-program, which is blocked waiting
for Emacs to manage its window.
This updates `password-store-copy` to work asynchronously. This
should be fine, since its primary purpose is side-effecting, and it
doesn’t matter when its evaluation completes. The ability to call
`password-store-get` asynchronously with a callback has also been
added to support this usecase.
A new function has been added for general cases of async `pass`
commands where the output is needed, `password-store--run-1`. While
there is an existing `password-store--run-async`, it discards output
-- it’s only used for `pass edit`, where it’s not needed. The body of
`password-store--run` has been replacing it with one that uses
`--run-1` and a wait loop which blocks until it’s complete.
Supporting all this necessitated moving the file to lexical binding
and dropping Emacs 24 support. The latter requirement could be worked
around if there are concerns around it.
**SECURITY INTERLUDE**
I was unbelievably distressed to discover that the implementation of
`password-store--run` redirects the decrypted file contents to disk,
reads that into a buffer, then removes the file. This approach is
preposterous and may warrant a CVE, as it exposes users to numerous
conditions where their cleartext passwords could be recovered:
- If the user hits C-g, the Emacs function may not get to the point
of removing the file, leaving the password on disk.
- It’s not a safe assumption that `make-temp-file` is secure, and
even if it were, the time windows in play are likely to be very
large, opening race conditions where the file contents can be read
by an attacker before the file is removed.
- Even if the file is removed, it could be recovered by examining the
contents of deleted inodes.
Information this sensitive should NEVER be persisted in cleartext in
non-volatile storage. You may as well write it on a post-it and stick
it on your monitor.
re NicolasPetton/pass#25
|
|
|
|
| |
"http://" was repeated, fix the second instance to read "https://".
|
|
|
|
|
| |
Use the autocmd pattern to match the password filename rather than doing
it manually within the called function.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Per debugging from Enno Nagel <enno.nagel+vim@gmail.com>, it's become
apparent to me that to have any degree of confidence that none of these
options have actually got any plaintext password data in them, we need
to disable the options globally when a password file is edited.
In particular, in the case of the 'viminfo' global option, it's not
possible to disable it per path, and not terribly meaningful either;
things like the last seach pattern or the contents of registers, i.e.
global state of the editor, are recorded. There's no sensible approach I
can see except to actually switch the feature off entirely by blanking
it.
I've therefore completely rewritten this, to make as thorough a check as
possible that the Vim user is editing a pass(1) file by calling `pass
edit`, and then to disable the "leaky" options globally, with an
explicit warning so that the user can see it's been done.
This plugin is also available as Vim script #5707:
<https://www.vim.org/scripts/script.php?script_id=5707>
Its homepage is here:
<https://sanctum.geek.nz/cgit/vim-redact-pass.git/about/>
|
|
|
|
|
| |
If IFS (Input Field Separator) is not emptied, read will actually strip
spaces and tabs at the beginning/end end of the "line".
|
| |
|
|
|
|
|
| |
This is important for filenames with special characters such as spaces
and parenthesis.
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
| |
Instead of editing the password file directly using Emacs, "pass edit" is
run. This allows password-store's git change tracking to work.
This adds a dependency on the with-editor Emacs package.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Code is now PEP 8 compliant
- Uses argparse module for command line arguments
- Prints what it will do and prompts for confirmation before
proceeding
- Does not put URL and notes fields in the entry unless they
are present in the CSV file
- Adds a "user" field in the entry
- There are now command line arguments for the following:
- Exclude specific groups from being imported
- Convert groups and names to lowercase
- Use the name of the KeePass entry rather than the
username as the pass entry name
|
| |
|
| |
|
| |
|
|
|
|
| |
The CSV is generated by KeePassX 2.0 on Mac OSX
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
To assist the migration from the default Firefox password store to
passff.
Add also some basic tests.
More info at:
- <https://addons.mozilla.org/en-US/firefox/addon/password-exporter>
- <https://addons.mozilla.org/en-US/firefox/addon/passff>
|
|
|
|
|
|
|
|
| |
Prof. Aho always seemed neat, but parsing a script inside a script for
the simple purpose of removing the trailing new line seems a bit absurd.
So, instead use two processes! One for getting the first line and one
for removing the trailing line. Everybody loves more calls to fork(),
right?
|
|
|
|
|
|
|
|
|
| |
Without this patch, all entries are processed twice: once in the first
call to import_group (which recursively processes all entries), then in
the following import_group on all subgroups.
This leads to spurious warnings ("Duplicate needs merging") and extra
text added to each entry.
|
|
|
|
|
| |
Use a defvar for the timeout timer in order to have better control and
not starting multiple timers when calling password-store-copy.
|
|
|
|
|
| |
In particular, people were encountering exceptions when `empty?` was
called on a `nil` grouping.
|
|
|
|
|
|
|
|
|
|
|
| |
The output of pass may contain "%", which will cause `message` to throw
the error: "Not enough arguments for format string".
For example, `pass rename foo bar` outputs:
[master c33f7a9] Rename foo to bar.
1 file changed, 0 insertions(+), 0 deletions(-)
rename foo.gpg => bar.gpg (100%)
|
|
|
|
| |
It seems this file doesn't use spaces any more.
|
|
|
|
|
| |
In 87ec1489fa98, I forgot that some people like to store more than one line in
their password files. We should only pass the first line to xdotool.
|
|
|
|
|
|
|
| |
This works around a bug in xdotool parsing when encountering quotes, see
https://github.com/jordansissel/xdotool/issues/72.
Thanks to Gerd Wachsmuth for the report.
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
Use delq instead of -reject from the dash package.
|