Menu

#2450 7z (on Linux) echoes password prompts

open
nobody
None
5
2024-07-31
2024-02-05
eugenesan
No

On Linux 7z echoes password prompts.

Expected behavior is to either hide the input completely or replace all characters with '*'.

Debian maintainer introduced a fix at: Fix available here: https://salsa.debian.org/debian/7zip/-/blob/master/debian/patches/0005-Disable-local-echo-display-when-in-input-passwords-C.patch

Discussion

  • Sam Tansy

    Sam Tansy - 2024-02-06

    Instead of defining hundreds of macros like MY_DISABLE_ECHO_WIN32, MY_DISABLE_ECHO_UNIX, and what else, MY_DISABLE_ECHO_MACOS, , MY_DISABLE_ECHO_IOS, XOS, YOS... it should test system within `#ifdef MY_DISABLE_ECHO'

    #ifdef MY_DISABLE_ECHO
    #if defined __unix__
    ...
    #elif defined _WIN32
    ...
    #endif
#endif
     

  • Dennis Schulz

    Dennis Schulz - 2024-03-27

    I'v experiences this today as well on MacOS.

    When testing an 7z encrypted archive using 7zz t archive.7z the tool asks for the password to decrypt the archive. While entering that password it echoes the entered password which makes it readable in cleartext. I think this should be prevented.

    I've created an encrypted archive using Keka on MacOS. I've installed 7zz (from the forumula sevenzip) via Homebrew on my Mac.
    Installed version of 7zz is: 7-Zip (z) 23.01 (x64) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20 64-bit.

    Running 7zz t your_encrypted_archive.7z will ask you for the password. Enter it and you'll see your entered password in cleartext.

    Anybody reading logs of a script output using 7zz in this scenario would find the password in cleartext in the log file.

    Output showing the issue

    $ 7zz t encrypted_archive.7z

7-Zip (z) 23.01 (x64) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20
 64-bit locale=UTF-8 Threads:10 OPEN_MAX:256

Scanning the drive for archives:
1 file, 158 bytes (1 KiB)

Testing archive: encrypted_archive.7z

Enter password:secret1234

--
Path = encrypted_archive.7z
Type = 7z
Physical Size = 158
Headers Size = 158
Solid = -
Blocks = 0

Everything is Ok

Size:       0
Compressed: 158

    Expected behaviour

    It should have not echoed my entered password. Not even stars because that would tell me something about the entered password's length.

    How to reproduce

    Create an encrypted 7z archive. I've used Keka on MacOS.
    $ 7zz t your_encrypted_archive.7z

     

    • Sam Tansy

      Sam Tansy - 2024-03-27

      P7zip does that.

      which 7z
/usr/local/bin/7z
$ cat `which 7z`
#! /bin/sh
"/usr/local/lib/p7zip/7z" "$@"

$ /usr/local/lib/p7zip/7z a -p a.7z a.txt

Creating archive: a.7z

Items to compress: 1


Enter password (will not be echoed):
Verify password (will not be echoed) :

Files read from disk: 1
Archive size: 466 bytes (1 KiB)
Everything is Ok
       

  • yolorkit

    yolorkit - 2024-05-17

    Wow, it still isn't fixed despite having a Debian maintainer's patch.

     

  • Robert Lee

    Robert Lee - 2024-07-31

    Same problem on macOS 14.5 (ARM).

    Output showing problem:

    $ 7zz l file.7z 

7-Zip (z) 24.07 (arm64) : Copyright (c) 1999-2024 Igor Pavlov : 2024-06-19
 64-bit arm_v:8.5-A locale=en_US.UTF-8 Threads:10 OPEN_MAX:256, ASM

Scanning the drive for archives:
1 file, 9999 bytes (9999 KiB)

Listing archive: file.7z


Enter password:mypassword

    Expected behavior: Password should not be echoed to the terminal; it should remain hidden.

    Steps to reproduce: 7zz l encryptedfile.7z

     

Log in to post a comment.