Public bug reported:
Binary package hint: vim
For better or worse, there are some silly systems that require passwords to be
entered into files. For example the maven build tool has the need for
passwords and even passphrases to be places in the ,m2/settings,xml file. So
I've been habitually editing that file before doing mvn releases, adding my
passwords and passphrases, doing the release and then editing the file again to
remove the passwords and passphrases.
Today as a general security check (prompted by stupid chrome also being
an application that stores passwords in the clear), I did a scan of all
my dot files looking for my passwords and passphrases (which of course
put them into my .bash_history!!). Unfortunately I found many
instances of these in my .viminfo file, as it was remembering my search
and replaces.
I really like the feature of vim that it does remember commands from
past executions, but in this case, that represents a bit of a security
problem (well it compounds the security problem that is caused by files
like .m2/settings).
I think to combat this, vim needs to have a list of files configured
both globally and per users, that when edited, the command history does
not enter the .viminfo file. Any files known to contain passwords
should be listed in the default setup of vim. Such a file list would
include:
$HOME/.m2/settings.xml
/etc/openvpn/*.conf
There should also be a mechanism to purge all .viminfo files when you
want to clear system.
** Affects: vim (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/687281
Title:
viminfo can leak sensitive information
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
