-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi!

just use the awesome highline gem:


require 'rubygems'
require 'highline/import'

def get_password(prompt="Enter Password")
   ask(prompt) {|q| q.echo = false}
end

thePassword = get_password()

regards, sandor
- --

On 20/07/14 23:22, Dolan Murvihill wrote:
> Hi everybody,
> 
> Sorry if this isn't the correct list; I'm new to Ruby and couldn't
> find an answer to this question in the other likely places.
> 
> I'm working on a tool that wraps the Arch Linux command line
> password manager "pwsafe". It keeps your master password in memory
> for ten minutes so that you don't have to re-type it so much.
> Recently I found a vulnerability and have to re-write the function
> that invokes the main pwsafe program to get the application
> password. It looks like this now:
> 
> def fetch_app_password master_password = driver.get # fetch the
> password from the user # TODO stop printing the user's master
> password in cleartext open( "| #{PWSAFE} -q -E -p
> #{stringified_args}", 'r+' ) do |pwsafe_pipe| 
> pwsafe_pipe.write(master_password + "\n") app_password =
> pwsafe_pipe.readline() if app_password == "Passphrase is
> incorrect" system 'killall pwsafe' raise 'Passphrase is incorrect' 
> end return app_password end raise 'an error occurred' end
> 
> This code invokes pwsafe and correctly returns the application
> password the user asked for; however, the entire exchange between
> the password safe and the ruby program occurs in the user's
> terminal - in cleartext. This is unacceptable because shoulder
> surfers are definitely part of my threat model.
> 
> I've tried a few things, including running `setty -echo` just
> before opening the pipe; none of them have prevented that
> master_password variable from ending up on the terminal. Can anyone
> suggest a good way to silence the master password, or (even better)
> the entire conversation?
> 
> Thanks, Dolan
> 


- -- 
Viele Gre Sandor
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCgAGBQJTzLdvAAoJEIiuFRwovs5r+OIP/RRRTZcNdPamFcMwrZqj4Z7E
eWMJr7yppKy4eAffPfWH5/STAD/evYzQ20NiJyYTRCeieCYaTIA6P66TLqUZJEGx
sI/0mi31JBvGZPdT5W3TOv1YFXJysJ/EDIn1I6EmIl5oWzgbB4VDanW14YrFcq52
5YUBxTyJT0IxBI3doZWGRICRKrkiQS8Mep0fxYnjqfgbMHKD4u8HELJrBlmaJEih
O3rsJoW1XG7qXc35nO+cDmBjT3ru2R6LabEgWZp1aP+/NM1IzW482Xvb6SrJNteC
PXsoUFIhRbklYsJ+aGA1kdbkNXsjTyDdugFNNgqQR2OX8Uyl053fKD231iXYrsGz
QM1K9eU1kkMawwTN8ADdw4d7Sl/h9TFeXFSgEZKKFmjmOXuDdArXzVZHr3tH24gy
x6fwfXI80uLDZeec4S0xjXhlaHAOjy3a/97k45qc2/gQHOenapUWq3H6RhGfeKqq
YRvba3LiGPkcdeAztPZc54sJwmA3dlTwcfzuxFQTXJHdhH/WWRdDrYT38TQ/dnvW
5nwe9KPAKOAoLEhRDZ9+grV2eq3lUjcw2GvYAPIPgdnOXi1UuzoTvlOgpJRIK2mq
tr70zeRsoOnlrg/f+e77swk2ha3IFNVeqDkoT5d7mUX6KLh+hN+RAXBSfKGH+cYo
cn9419Z7x320iEXCGsRP
=0hVC
-----END PGP SIGNATURE-----