From e772c4b6d52627c463e70b4284e3794aa0bd0634 Mon Sep 17 00:00:00 2001 From: Ryan Lue Date: Thu, 30 Jun 2022 23:04:35 -0700 Subject: calcurse-caldav: Support PasswordCommand option This commit adds a new `Auth/PasswordCommand` option to support security best practices re: handling secrets in CLI program configuration. Prior to this commit, the two available options for specifying a password were: 1. via the `Auth/Password` config parameter, or 2. via a `$CALCURSE_CALDAV_PASSWORD` environment variable. The former is unsafe for obvious reasons; the latter is unsafe because as long as the script is running, its environment can be accessed via $ cat /proc//environ and is thus visible to anyone with access to the system. This commit preserves preexisting behavior (for backward compatibility) but removes all mention of option 2 from the README. Since the README example for option 2 used a password command anyway, there is little reason to continue its use, and this commit recommends it be deprecated. Signed-off-by: Lukas Fleischer --- contrib/caldav/config.sample | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'contrib/caldav/config.sample') diff --git a/contrib/caldav/config.sample b/contrib/caldav/config.sample index e2c6c2d..0ba8fa8 100644 --- a/contrib/caldav/config.sample +++ b/contrib/caldav/config.sample @@ -48,11 +48,13 @@ DryRun = Yes # Enable this if you want detailed logs written to stdout. Verbose = Yes -# Credentials for HTTP Basic Authentication. Leave this commented out if you do -# not want to use authentication. +# Credentials for HTTP Basic Authentication (if required). +# Set `Password` to your password in plaintext (unsafe), +# or `PasswordCommand` to a shell command that retrieves it (recommended). #[Auth] #Username = user -#Password = pass +#Password = password +#PasswordCommand = pass baikal # Optionally specify additional HTTP headers here. #[CustomHeaders] -- cgit v1.2.3-54-g00ecf