On Dec 3, 2007 1:17 PM, Erik Falor wrote: > > On 03/12/2007, Matt Wozniski wrote: > > > > 3. This entire discussion seems to basically be a moot point since > > any cracker worth his salt would just be sniffing the network... > > FTP transmits passwords in plaintext; security in how netrw handles > > the passwords seems to be a rather moot point to me. > > netrw doesn't only handle FTP transfers. Better types of traffic are > supported. > > I just don't like the idea that my password is sitting in a global vim > variable for all to see. If I walk away from my keyboard, someone > could walk by and type :echo netrw_passwd > > Plus, if/when I dump core, my password is there, in cleartext, in the > dumpfile. Again, something I don't want to leave to filesystem perms > to protect me from. Especially if I happen to be using an OS that > FTPs dumpfiles back to the mothership for you.
That's a very good point (and I hadn't thought of core files) but you also point out two important considerations: first, that even laying aside the fact that this encryption idea only provides security through obscurity, you could achieve a similar amount of security by having netrw store the password in a script-local variable, rather than a global variable (global variables are particularly awful, since a malicious user at your keyboard, or anyone who convinces you to install their vim script, can just scan through the output of :let searching for /pass/). Fixing that to use a script-local variable would definitely be a worthwhile change that should be made ASAP, though it still wouldn't protect you from plaintext passwords being in your core files. The second important point you make is that netrw supports other protocols for which this isn't an issue. If a user is sufficiently worried about security to not want a plaintext ftp password stored in vim's memory, he can always use ssh key-based authentication and make it a moot point. While we're at it, what is a reasonable use-case for why someone would need a getpid() function? Why would we need to know our PID? ~Matt --~--~---------~--~----~------------~-------~--~----~ You received this message from the "vim_dev" maillist. For more information, visit http://www.vim.org/maillist.php -~----------~----~----~----~------~----~------~--~---
