Ubuntu Terminal App

BQ (r24): terminal-app shows terminal data when asking for password

Bug #1488481 reported by Matthias Apitz
32
This bug affects 6 people
Affects Status Importance Assigned to Milestone
Ubuntu Terminal App
Fix Released
Critical
Evan McIntire

Bug Description

I have a terminal-app click package based on the original sources, but
which integrates the start of an application, the MUA 'mutt'. The same
problem described here is true for the original terminal-app, only less
visible because not in colors:

when the terminal is asking for the password, it makes already visible
data in the terminal window, best visible in landscape mode, see attachment.

See original description

Related branches

lp:~mcintire-evan/ubuntu-terminal-app/auto-focus-auth
Stefano Verzegnassi: Approve
Jenkins Bot: Approve (continuous-integration)
Niklas Wenzel: Pending requested
Ubuntu Terminal Developers: Pending requested
Diff: 26 lines (+9/-1)
1 file modified
src/app/qml/AuthenticationDialog.qml (+9/-1)
lp:~verzegnassi-stefano/ubuntu-terminal-app/hide-terminal-data-on-auth
Evan McIntire: Approve
Jenkins Bot: Approve (continuous-integration)
Diff: 60 lines (+15/-0)
3 files modified
src/app/qml/AuthenticationService.qml (+5/-0)
src/app/qml/TerminalPage.qml (+9/-0)
src/app/qml/ubuntu-terminal-app.qml (+1/-0)
Revision history for this message
Matthias Apitz (gubu) wrote :
information type: Private Security → Public
Revision history for this message
Alan Pope 🍺🐧🐱 πŸ¦„ (popey) wrote :

I've seen this too, although only showing the default shell prompt, not a full app, it's still valid bug.

I would like to see us only launch the process in the terminal after the pin has correctly been entered.

Changed in ubuntu-terminal-app:
status: New → Confirmed
importance: Undecided → High
Matthias Apitz (gubu)
description: updated
Revision history for this message
Matthew Exon (ubuntubugs-mexon) wrote :

This isn't just a display issue. With a bluetooth keyboard attached you can also type commands, for example editing .ssh/authorized_keys. No doubt there are other ways a keyboard could be introduced into the equation, e.g. the USB socket. So that's bad.

Revision history for this message
Matthew Exon (ubuntubugs-mexon) wrote :
Evan McIntire (mcintire-evan)
Changed in ubuntu-terminal-app:
status: Confirmed → In Progress
assignee: nobody → Evan McIntire (mcintire-evan)
David Planella (dpm)
Changed in ubuntu-terminal-app:
importance: High → Critical
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Excellent find re: the bluetooth keyboard. :) Very nice work.

I'm less worried about the process actually starting; the reasoning behind the prompt in the first place is that you ought to be able to hand your phone to a stranger and they ought not be able to completely own the phone just by fiddling with it for a bit. I don't think this password in the terminal was ever intended to provide any privacy mechanisms.

But interacting with the prompt via a bluetooth keyboard ought to be addressed; it's surprising and not at all obvious that it could happen.

Thanks

Revision history for this message
Jenkins Bot (ubuntu-core-apps-jenkins-bot) wrote :

Fix committed into lp:ubuntu-terminal-app at revision None, scheduled for release in ubuntu-terminal-app, milestone 2014-12-11

Changed in ubuntu-terminal-app:
status: In Progress → Fix Committed
Stefano Verzegnassi (verzegnassi-stefano)
Changed in ubuntu-terminal-app:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.