makeself icon indicating copy to clipboard operation
makeself copied to clipboard

Published 20 hours ago verified publisher icon megastep

makeself --ssl-passwd usage exposed in header --info

Open arrjay opened this issue 5 years ago • 1 comments

currently, any password supplied using --ssl-passwd when creating a makeself archive is exposed in the header --info block with the build commands. problem can be sidestepped by using --ssl-pass-src and a temporary file instead. should probably either rework the build info to drop/redact that argument or stop supporting --ssl-passwd

arrjay avatar Nov 24 '19 07:11 arrjay

Thanks for this info. I never bothered to read the source of an encrypted, but this is indeed... well, quite decieving.

Instead of removing it, the password should be filtered or replaced afterwards in the final archive.

Either replace your password:

sed -i archive.run  -e 's/mypassword/**SECRET**/'

or a more generic approach (only tested with GNU sed) to replace most chars after --ssl-passwd:

sed -i archive.run -Ee '/--ssl-passwd/!b;n;s/[a-zA-Z0-9]+/**REMOVED**/'

Or better, do the filtering during the archive creation by makeself.sh with something like this:

for f in "${1+"$@"}"; do
    if test x$secretnext = "1"; then
        f="**REDACTED**"
        secretnext=0
    fi
    MS_COMMAND="$MS_COMMAND \\\\
    \\\"$f\\\""
    if test x$f = x"--ssl-passwd"; then
        secretnext=1
    fi
done

Saruspete avatar Dec 30 '19 00:12 Saruspete