On Sat, Dec 7, 2013 at 2:22 PM, Christian Weisgerber <[email protected]> wrote: > Christian Weisgerber <[email protected]> wrote: > >> ---------------> >> #!/bin/sh >> >> SAFE=$HOME/.pwsafe >> TMPFILE=`mktemp /tmp/pwsafeXXXXXXXXXX` || exit 1 >> >> trap 'rm -P "$TMPFILE"' 0 1 2 15 >> >> STTY=`stty -g` >> echo -n "Password: " >> stty -echo >> read PASSWORD >> stty "$STTY" >> >> set -e >> echo -n "$PASSWORD" | openssl aes-256-cbc -d -in "$SAFE" -out "$TMPFILE" >> -pass stdin >> ${EDITOR-${VISUAL-vi}} "$TMPFILE" >> echo -n "$PASSWORD" | openssl aes-256-cbc -in "$TMPFILE" -out "$SAFE" -pass >> stdin >> <--------------- > > So this stood up to review here pretty well.
i tried to set my password but changed the terminal title instead > > The major potential leak is that the decrypted content is temporarily > stored as a cleartext file. interesting. vi cant open stdin, but vim can. it seems that we are accomodating to the limitations of sh and vi instead of recognizing they're unsuitable > If your storage is backed by some sort > of log-structured filesystem, like a flash memory medium, the > cleartext will not actually be overwritten and may be recoverable. > Also, your editor may scatter additional cleartext copies around, > for instance vi's recovery files. > > -- > Christian "naddy" Weisgerber [email protected]
