pass edit leaking secrets

Stefan Gehr stefan.kerman.gehr at fau.de
Wed Jul 21 12:49:57 UTC 2021


On 2021-07-21T13:54:30+0200, Patrik Keller wrote:
> Dear all,
> 
> it's probably no news for you, but running `pass edit secret` might leak
> information to persistent storage if `$EDITOR` is not configured properly. I
> got hit by this after switching from vim to neovim. The latter defaults to
> storing swap, undo, and backup files in the user's home directory [0].
> 
> My personal thoughts on this are:
> 1. Neovim should not have changed the default.
> 2. `pass edit` should warn about the potential leakage.
> 3. I want to set the password editor independent of `$EDITOR`.
> 
> I could imagine the following workflow for `pass edit`:
> 1. Prefer `$PASS_EDITOR` over `$EDITOR` over `vi`.
> 2. If `$PASS_EDITOR` is not set print a warning about the potential leakage
> and ask for confirmation.
> 3. Proceed as before.
> 
> Do you know a better solution? Maybe one that works w/o changing pass?
> 
> Best
> Patrik
> 
> 0: https://github.com/neovim/neovim/issues/4481

Hi,

pass comes with the vim script contrib/vim/redact_pass.vim.
https://git.zx2c4.com/password-store/tree/contrib/vim/redact_pass.vim
Just source that file in your (neo)vim config and you're fine.

Best regards
Stefan


More information about the Password-Store mailing list