[pass] Proposed change to prevent passwords from being displayed

lars lars at larssorenson.com
Mon Dec 28 20:53:06 CET 2015 

Hello,

I'm a recent adopter of Pass(1) and love the utility but I find it a
little disconcerting that passwords can be outputted to the terminal's
display buffer without the user's permission, specifically when
generating a password. I may not want to copy the password straight to
my clipboard after generating it either so using that as a work-around
is a bit of a hack. I propose using an environment variable that will
allow a user to explicitly disable passwords from being shown when using
the generate and show commands, prompting them instead to use the -c
option (though generate will still succeed in generating a password).

It defaults to "on" to maintain backwards compatibility.

Thoughts?

diff --git a/src/password-store.sh b/src/password-store.sh
index d535a74..68f506e 100755
--- a/src/password-store.sh
+++ b/src/password-store.sh
@@ -15,6 +15,7 @@ which gpg2 &>/dev/null && GPG="gpg2"
 PREFIX="${PASSWORD_STORE_DIR:-$HOME/.password-store}"
 X_SELECTION="${PASSWORD_STORE_X_SELECTION:-clipboard}"
 CLIP_TIME="${PASSWORD_STORE_CLIP_TIME:-45}"
+PASSWORD_SHOW="${PASSWORD_STORE_SHOW_PASSWORD:1}"

 export GIT_DIR="${PASSWORD_STORE_GIT:-$PREFIX}/.git"
 export GIT_WORK_TREE="${PASSWORD_STORE_GIT:-$PREFIX}"
@@ -310,7 +311,11 @@ cmd_show() {
        check_sneaky_paths "$path"
        if [[ -f $passfile ]]; then
                if [[ $clip -eq 0 ]]; then
-                       $GPG -d "${GPG_OPTS[@]}" "$passfile" || exit $?
+                       if [[ $PASSWORD_SHOW -eq 0 ]]; then
+                               die "Error: Displaying passwords is
specifically disabled, but you did not specify copying to clipboard."
+                       else
+                               $GPG -d "${GPG_OPTS[@]}" "$passfile" ||
exit $?
+                       fi
                else
                        local pass="$($GPG -d "${GPG_OPTS[@]}"
"$passfile" | head -n 1)"
                        [[ -n $pass ]] || exit 1
@@ -470,7 +475,11 @@ cmd_generate() {
        git_add_file "$passfile" "$verb generated password for ${path}."

        if [[ $clip -eq 0 ]]; then
-               printf "\e[1m\e[37mThe generated password for
\e[4m%s\e[24m is:\e[0m\n\e[1m\e[93m%s\e[0m\n" "$path" "$pass"
+               if [[ $PASSWORD_SHOW -eq 0 ]]; then
+                       printf "Displaying passwords is specifically
disabled, but you did not specify copying to clipboard.\nThe password
for ${path} was successfully created.\n"
+               else
+                       printf "\e[1m\e[37mThe generated password for
\e[4m%s\e[24m is:\e[0m\n\e[1m\e[93m%s\e[0m\n" "$path" "$pass"
+               fi
        else
                clip "$pass" "$path"
        fi

Thanks,
Lars Sorenson

More information about the Password-Store mailing list