Using --pw-stdin echoes password back

[a-dma]

This is related to the issue I opened the other day #1636.
While most of it was fixed in 2.3.1 the password is still echoed back, at least on Ubuntu.

The culprit seems to be readline()

Expected Behavior

The database password should be kept hidden

Current Behavior

The database password is echoed back

Possible Solution

Using bash and pinentry something like this could be done

echo $(echo -e "SETPROMPT Database password\nGETPIN\nBYE" | pinentry | sed -n '/^D .*/s/^D //p') | keepassxc --pw-stdin Passwords2.kdbx

But a solution that disables echo altogether would be better. Something can be found here

Steps to Reproduce (for bugs)

1. run keepassxc --pw-stdin Passwords.kdbx
2. wait for the unpainted windows to appear
3. type in the database password and see it being echoed back

Debug Info

KeePassXC - Version 2.3.1
Revision: 2fcaeea

Libraries:

• Qt 5.9.1
• libgcrypt 1.7.8

Operating system: Ubuntu 17.10
CPU architecture: x86_64
Kernel: linux 4.13.0-25-generic

Enabled extensions:

• Auto-Type
• Browser Integration
• Legacy Browser Integration (KeePassHTTP)
• SSH Agent
• YubiKey

[phoerious]

I tested it and I cannot reproduce the behavior.

echo -n abc | keepassxc --pw-stdin Passwords.kdbx

opens the database, but nothing is printed to the console.

[a-dma]

Thanks for the quick reply.
I tried again with a different terminal, just in case: same result.

Don't get me wrong, but I think the solution you suggest is arguably worse. Now unless you take extra precaution your database password is saved in your history.

[phoerious]

It's not a solution, it's just proof that KeePassXC doesn't echo anything.
I suppose one of your commands is directly printing to STDOUT instead of or in addition to piping it to KeePassXC, which we can't do anything about.

[a-dma]

Sorry, I missed your point, I thought you were suggesting that as a workaround.

One of my commands? What do you mean? The problem manifests itself when running keepassxc --pw-stdin Passwords.kdbx. No trick up my sleeve, it's keepassxc that is reading from stdin with echo enabled.

It's the same difference between running

$ read SOMETHING

and

$ read -s SOMETHING

[louib]

@a-dma I guess we should be using getPassword()

[phoerious]

So you mean, it's not hiding your input when you type directly into its STDIN? Then I understand what you mean. I thought your pinentry example echoed something to the console.

[a-dma]

Correct, that's what I meant. Sorry for the confusion.
My pinentry example was a possible suggestion to avoid the password being echoed back.

Looks like the function mentioned by @louib is the way to go.