-
-
Notifications
You must be signed in to change notification settings - Fork 529
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reading pasted armored input from a terminal clashes with password prompt #364
Comments
Hmm, this is a valid UX bug, thank you, but it's also trickier than it looks: we want
to keep working, and it definitely can't wait for the end of the message. We could special case armored messages, but it feels like a hack.
We do read the password from the TTY. In fact, that is the only reason pasting a password-protected file into Thinking about it, this feels like a defect in the terminal emulator: if you start a paste operation into a stdin, it should not then take a piece of that into a TTY input when the TTY is opened, no? |
@FiloSottile Sorry for assuming that stdin was used for passwords. GPG apparently is doing that, but not Age. Special handling of armored format (and restricting it to relatively short data that can fit in RAM) seems sensible to me, while keeping the binary format streamable. Alternatively, you check if stdin is a tty (which it isn't when input is piped in), and only then wait for the full input. I gather that all terminals handle tty and stdio the same, at least I have never observed any visible separation of the streams. When the terminal side is using a tty device for I/O, it cannot simultaneously use the stdio without additional hacks. Pasted text is particularly tricky over SSH connections where the receiving side has no reliable way of determining when the paste has ended (e.g. by using a timer, because of network latencies). |
re: edited issue title: I have to emphasise that the full input should be read in any case, even when public keys are used, to avoid the security issue mentioned in the first post. E.g. consider this pretty innocent-looking fake message. I've put in an
|
I'll think about the least hacky way to make the UX work, but we are not going to do a useless stdin read in case someone pasted malicious input into their terminal without the proper paste mode. None of the basic UNIX tools do, and anyway we can't protect against
|
GPG does not suffer of this because it always reads until EOF. That is one way to do it, but less good UX especially for people who don't know how to enter EOF on console (Ctrl+Z on Windows, Ctrl+D on others). I guess that an extra footer in the middle would still be far easier to notice by a potential victim than just a few invalid characters in the middle of Base64 lines, so you could keep that good UX and only keep reading until a footer is found. Covert attempts to handle this with timers (when tty input is detected), so generally a paste is correctly read but it is not 100 % certain over mobile SSH connections. |
I spent some time getting familiar with terminal handling and cleaning up terminal support in age, and I can see three ways forward here. All these are for when
|
A partial solution, still missing bracketed paste support. Updates #364
Trying to decode a password-encrypted message by pasteing it in a terminal:
I would expect the password prompt to appear only after the
END AGE
footer, but it actually appears while not all of the message has been pasted yet, and ends up reading part of the last Base64 line as password, while leaving the footer be spammed on shell prompt.This does not occur with all messages, but the one used here was created as follows:
This should be solved by always waiting for the footer before stopping, and prior to asking for a password.
I would recommend doing so even if invalid data was detected in the middle, to avoid spamming the rest of the message on shell prompt. A malicious malformed message could contain commands such as
rm -rf ~
in the middle of a long armor sequence that then inadvertently get executed by a recipient.Additionally, the password prompt could be using the tty rather than stdin, or if available, using a GUI prompt for password. Existing password-asking programs employ both of these methods. Using a tty for password input allows it to work on interactive console even when stdin, stdout and stderr are all redirected, and in particular when Age gets its input data via stdin pipe. Although, changing this would break any existing hacks that feed Age with passwords over stdin (unless they run without a terminal and Age then falls back to reading stdin).
The text was updated successfully, but these errors were encountered: