carnager / rofi-pass Goto Github PK

found a new bug in rofi-pass: the last-used argument dosent seem to work anymore

using latest git and arch linux

z

Hi,

Consider the following:

% pass someaccount
supersecret
---
user: azerty123456

rofi-pass will print qwerty!@#$%^ as username instead of azerty123456.

xdotool seems to be the criminal here, but everything just went downhill. (

rofi-pass is unusable as is 😭

% localectl 
   System Locale: LANG=en_US.utf-8
                  LC_TIME=en_DK.utf-8
                  LC_MONETARY=fr_FR.utf-8
                  LC_NAME=fr_FR.utf-8
                  LC_ADDRESS=fr_FR.utf-8
                  LC_TELEPHONE=fr_FR.utf-8
                  LC_MEASUREMENT=fr_FR.utf-8
       VC Keymap: fr-pc
      X11 Layout: fr

I tried autotype with only one filed, the password. In my case the password contains several special chars like ; and @. They were typed as < and q.
However also a Username containing these chars gets messed up. In fact it's always the first field, that gets messed up.

The script itself gets the correct data, I create a test-password and executed bash -x /usr/bin/rofi-pass. The output:

• rofi-pass-with-username (the password is typed correctly)
• rofi-pass-without-username (Typed password: <<><123q´!%&should be:;<>;123@´!%/)

See the title.

I have pass entries that look like this:

mysecretpassword

---
login:    username
url:      https://example.org

(Those are 4 spaces between login: and username.)

My rofi-pass config looks like this:

URL_field='url'
USERNAME_field='login'

When I use rofi-pass to type or copy the username, the result always has a leading white space character. It looks like rofi-pass is just splitting the line at : (I think GitHub is stripping white space, but that is supposed to be a colon followed by a whitespace character).

I would like rofi-pass to strip leading and trailing whitespace from whatever field it is operating on. This could be done sed.

$ echo "   test   " | sed -e 's/^[ \t]*//' -e 's/[ \t]*$//'
test

This is not really an issue with rofi-pass, but I thought I'd mention it here, because it took me a while to figure out why the same rofi-pass worked perfectly on one machine, but not on another one. Seems like Ubuntu ships uses mawk instead of gawk as the default alternative for awk now (maybe I'm wrong, only got a sample size of one, point being mawk doesn't work), and that somehow breaks the line parsing in:

_id=$(echo -e "${LINE}" | awk -F ':[[:space:]]*' '{print $1}')

Xdo-typing the password still works, but none of the other variables like user or url can be used. For example, autotype always omitts the user. Might be worth mentioning in the Readme that gawk is a requirement, not awk.

Currently testing this, with the default config from /etc (so no files copied into my home dir)
And invoking rofi creates this message:

$ LANG=C rofi-pass
mkdir: cannot create directory '/home/omnius/.config/rofi-pass/parsers': No such file or directory
cp: target '/home/omnius/.config/rofi-pass/parsers' is not a directory

Is this intended behaviour? (like it's unnecessary to copy this if the user didn't create a config. Still the error messages aren't that nice)

As the title says, rofi-pass should refrain from creating notifications when notify="false" is set in the config. Currently, it still notifies when a password is copied/cleared into/from selection.

I searched the other issues & I couldn't find anything similar: xdotool won't accept the --file parameter:

$ echo "foo" | xdotool type --clearmodifiers --file -
type: unrecognized option '--file'
Usage: type [--window windowid] [--delay milliseconds] <things to type>
--window <windowid>    - specify a window to send keys to
--delay <milliseconds> - delay between keystrokes
--clearmodifiers       - reset active modifiers (alt, etc) while typing
--args N  - how many arguments to expect in the exec command. This is
            useful for ending an exec and continuing with more xdotool
            commands
--terminator TERM - similar to --args, specifies a terminator that
                    marks the end of 'exec' arguments. This is useful
                    for continuing with more xdotool commands.
-h, --help             - show this help output

It would work with either

$ echo -n type --clearmodifiers "foo" | xdotool - 
foo

or

$ xdotool type --clearmodifiers foo
foo

Using xdotool version 2.20110530.1 (the one Fedora 22 ships) + rofi-pass b01d40c.

Hi

Not really sure if this is a problem with rofi or rofi-pass. I decided to open it here, because it just happens for me with rofi-pass. But dunno if you parse the config for colors (I suppose not).
Depending on the syntax in the .Xresource file regarding the color theme rofi-pass can generate a warning message and the shortcut text won't appear.

rofi.color-normal: #000000,#A0A0A0,#000000,#0C73C2,#FFFFFF

produces

$ rofi-pass
(process:17376): Pango-WARNING **: pango_layout_set_markup_with_accel: Value of 'foreground' attribute on tag on line 1 could not be parsed; should be a color specification, not ''

rofi.color-normal: #000000, #A0A0A0 ,#000000,#0C73C2,#FFFFFF

produces

$ rofi-pass
(process:18218): Pango-WARNING **: pango_layout_set_markup_with_accel: Value of 'foreground' attribute on tag on line 1 could not be parsed; should be a color specification, not '#A0A0A0 ,#000000,#0C73C2,#FFFFFF'

rofi.color-normal: #000000, #A0A0A0 , #000000,#0C73C2,#FFFFFF

$ rofi-pass
(process:18656): Pango-WARNING **: pango_layout_set_markup_with_accel: Value of 'foreground' attribute on tag on line 1 could not be parsed; should be a color specification, not '#A0A0A0 '

And lastly, the working one

rofi.color-normal: #000000, #A0A0A0, #000000,#0C73C2,#FFFFFF

Depending on the position of whitespaces it works or not.
So is this an issue with rofi-pass or should I open an issue at the rofi-repo?
Edit2: Looking at the code I saw that you parse the help color and awk depend on the whitespaces

Best regards

Edit:
Oh, and disabling color at all, just using the rofi defaults errors out too

python keepass2pass.py -f ~/keepass.xml
[>>>>] Importing passwords from file /home/gregf/keepass.xml
[INFO] Root path: None
Traceback (most recent call last):
File "keepass2pass.py", line 141, in
main(sys.argv[1:])
File "keepass2pass.py", line 135, in main
import_passwords(xml_file, root_path)
File "keepass2pass.py", line 94, in import_passwords
root_group = root.find('Group')
AttributeError: 'NoneType' object has no attribute 'find'

rofi-pass has unsafe use of /tmp

20:26:50[justin@diablo ~/opt/rofi-pass]% git show --oneline
b6dcf56 Merge pull request #44 from qbit/master

20:27:02[justin@diablo ~/opt/rofi-pass]% ag tmp
rofi-pass
36:    rm -f "/tmp/$USER-rofi-pass/last_used"
37:    echo "${root}: $selected_password" > "/tmp/$USER-rofi-pass/last_used"
48:    rm -f "/tmp/$USER-rofi-pass/last_used"
49:    echo "${root}: $selected_password" > "/tmp/$USER-rofi-pass/last_used"
500:# create tmp dir
501:if [[ ! -d /tmp/$USER-rofi-pass ]]; then
502:  mkdir "/tmp/$USER-rofi-pass"
520:if [[ -r "/tmp/$USER-rofi-pass/last_used" ]] && [[ $1 == "--last-used" || $1 == "--show-last" ]]; then
521:  export root; root=$(awk -F ': ' '{ print $1 }' "/tmp/$USER-rofi-pass/last_used")
546:      if [[ -r "/tmp/$USER-rofi-pass/last_used" ]]; then
547:        entry="$(awk -F ': ' '{ print $2 }' "/tmp/$USER-rofi-pass/last_used")"
552:      if [[ -r "/tmp/$USER-rofi-pass/last_used" ]]; then
553:        selected_password="$(awk -F ': ' '{ print $2 }' "/tmp/$USER-rofi-pass/last_used")" showEntry

This means that another user on the box, who can create a symlink at /tmp/${VICTIM_USER}-rofi-pass before ${VICTIM_USER} uses rofi-pass, can cause ${VICTIM_USER} to:

• rm -f a file called last_used in a directory of the attacker's choosing
• redirect the text that corresponds to "${root}: $selected_password" into a file called last_used in a directory of the attacker's choosing

An example of nobody being able to cause me (justin) to send some text to ~justin/.ssh/last_used:

20:31:14[justin@diablo ~/opt/rofi-pass]% sudo -u nobody ln -s /home/justin/.ssh /tmp/justin-rofi-pass

20:31:36[justin@diablo ~/opt/rofi-pass]% ls -la /tmp/justin-rofi-pass
lrwxrwxrwx 1 nobody nogroup 17 Jul 16 20:31 /tmp/justin-rofi-pass -> /home/justin/.ssh

20:31:41[justin@diablo ~/opt/rofi-pass]% ls -la ~/.ssh/last_used
ls: cannot access '/home/justin/.ssh/last_used': No such file or directory

<use rofi-pass to access the pass password item called "demopassword">

20:32:14[justin@diablo ~/opt/rofi-pass]% ls -la ~/.ssh/last_used
-rw-r--r-- 1 justin justin 43 Jul 16 20:32 /home/justin/.ssh/last_used

20:32:38[justin@diablo ~/opt/rofi-pass]% cat ~/.ssh/last_used
/home/justin/.password-store: demopassword

It looks as though an attacker may be able to control the variables ${root}, ${entry} and ${selected_password} depending on how the victim user launches rofi-pass. I haven't gone too far down that rabbit hole just yet.

/tmp/ should be considered hostile and full of directories/files/symlinks planted by other users.

After (installing all required apps) git clone or sudo make install only thing that I get when running rofi-pass is sorry, cannot understand key combination: !Return. Is this still the #43 issue or is it just me who cannot integrate it into rofi?
And can you provide a sample code about how to use it together with rofi? I am new to it...

If I include '-font "Monospace 10"' (or any font, for that matter) in rofiopts, the interface is unusable.

Here's the rofiopts config:
rofiopts='-i -font "Monospace 10" -no-levenshtein-sort'

%  rofi -version
Version: 0.15.12

%  rofi-pass --help
rofi-pass (Version: 1.2)

I would attach a screenshot, however rofi-pass intercepts all keyboard key presses and I'm unable to launch scrot :)

Creating a pass entry with a password ending in a ':' makes it show up as an item in rofi-pass:

$ pass insert test
Enter password for test: testpw:
Retype password for test: testpw:
$ rofi-pass

I am using CopyQ as my clipboard manager, and when I start rofi-pass, then select an entry, then ALT+p, it copies it... Just that in CopyQ, there's no new copied item...

However, after 45 seconds when the clipboard is cleared, a new item ends up in CopyQ that seems to be two empty lines that are copied.

Is there any way to change the path to the config file? rofi-pass seems to expect it at /etc/rofi-pass, right? How can I tell rofi-pass that it is at ~/.rofi.conf for example?

Hi,

I was using pass & passff firefox extention for quite a long time but after some recent security potential issues I prefer the approach of rofi-pass!
I am playing around and make it almost work like my old configuration, the only thing I am not able to do is to open the url automatically and autofill, is there a way to do that?

Bookmark mode is working correctly and opening a tab in my iceweasel and goes to the right link
Autofill is also working correctly (I noticed a little glitch where I need to click into a form box for the mouse to focus on it, if I don't do that before rofi-pass is not able to fill the form, I am sure there is a little tips for that?)

My idea would be to combine both

many thanks

My pass entries look like this:

supersecretpassword

---
login:    pigmonkey
url:      https://somewhere.com

(Those are spaces separating the fields, not tabs.)

My ~/.config/rofi-pass/config looks like this:

URL_field='url'
USERNAME_field='login'
clip=clipboard
notify='true'

After upgrading to rofi-pass v1.4, the autotype features types <tab>supersecretpassword. Using alt+2 to copy the value of the login field does still work. If I edit my entry and rename login to user, autotype works.

The autotype function is not respecting USERNAME_field.

When a pass entry contains an @ sign, rofi-pass cannot paste it into context, gives an ˇ sign instead. ($ sign does not work either, % does)

Hi,

I hacked the following into the rofi-pass script:

elif [[ $word == ":otp" ]]; then oathtool --totp --base32 "${stuff[${OTP_field}]}" | xdotool type --clearmodifiers --file -;

which enables OTP support in autotype. However I am not sure about the --base32 option. I guess most services do return a base32 code but not all. It also has an dependency on oathtools. I think this is a bit of an overkill.

If this is needed, and would be supported by this project, I would try to fix the issues I have with this solution right now and submit a PR request once I am finished.

What do you think? Awesome project by the way!

It's a tiny modification, but IMHO it makes a big difference.

diff --git a/rofi-pass b/rofi-pass
index 9e89493..970dfa0 100755
--- a/rofi-pass
+++ b/rofi-pass
@@ -51,7 +51,7 @@ umask 077
 list_passwords() {
   cd "${root}" || exit
 
-  find -L . -iname '*.gpg' -printf '%P\n' | \
+  find -L . -iname '*.gpg' -printf '%P\n' | sort | \
     while read filename; do
       echo "${filename%.gpg}"
   done

Right now individual fields can only be typed from inline view.
Add a hotkey to select from a list of available fields.

This way a one-item history for each root dir is saved and can be re-used separately.
This would need more complex argument parsing because --last-used and --root might be used together.
Also this needs to take PASSWORD_STORE_DIR env var and root config setting into account.

I created a shortcut to launch the script using Linux Mint's keyboard settings. When I use the shortcut, the only option that shows up is pass even though my passwords also have user and autotype, and when I hit enter, nothing happens. When I call the script from the command line, everything is perfect. As a temporary workaround, I have changed the command to this: gnome-terminal -e "rofi-pass". That works, but I have to click back to firefox or the password just goes into the terminal.

Btw I use this script on my arch+xfce laptop and it's so nice. Thanks a bunch!

uname -a:

Linux Zeus 3.19.0-21-generic #21~14.04.1-Ubuntu SMP Sun Jun 14 18:45:42 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

pass version:

|-----------------------|
|   Password Store      |
|       v.1.4.2         |
|       by zx2c4        |
|                       |
|    [email protected]    |
|  Jason A. Donenfeld   |
|-----------------------|

sed --version:

sed (GNU sed) 4.2.2

rofi -v:

Version: 0.15.11

xdotool -v:

xdotool version 3.20140217.1

gawk -V:

GNU Awk 4.0.1

bash --version:

 GNU bash, version 4.3.11(1)-release (x86_64-pc-linux-gnu)
 Copyright (C) 2013 Free Software Foundation, Inc.
 License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
 
 This is free software; you are free to change and redistribute it.
 There is NO WARRANTY, to the extent permitted by law.

I have an alternative pass store at ~/otherpass. I'm trying to use rofi-pass to interact with that store.

$ rofi-pass --root ~/otherpass

This results in a rofi window with no password entries.

It looks like on line 38 rofi-pass is trying to append the root dir to the default password store, resulting in something like /home/user/.password-store///home/user/otherpass. I think the line should be something more like:

        passwords=( "${root}"/**/*.gpg )

Line 44 will also need to be altered so that the pass store dir is stripped from the filenames.

Hello, I had a problem with rofi-pass and to see if there is a fix, I have installed
the last version from git. Unfortunately, I can't login anymore.

I do the following: Start rofi-pass, choose a login (I get the list of the possible logins) and hit "Enter". After that, nothing happens
I tried in a terminal and it's much more interesting:

% rofi-pass 
Error: 14 is not in the password store.
Error: 14 is not in the password store.
type: unrecognized option '--file'
Usage: type [--window windowid] [--delay milliseconds] <things to type>
--window <windowid>    - specify a window to send keys to
--delay <milliseconds> - delay between keystrokes
--clearmodifiers       - reset active modifiers (alt, etc) while typing
--args N  - how many arguments to expect in the exec command. This is
            useful for ending an exec and continuing with more xdotool
            commands
--terminator TERM - similar to --args, specifies a terminator that
                    marks the end of 'exec' arguments. This is useful
                    for continuing with more xdotool commands.
-h, --help             - show this help output
    type: unrecognized option '--file'
Usage: type [--window windowid] [--delay milliseconds] <things to type>
--window <windowid>    - specify a window to send keys to
--delay <milliseconds> - delay between keystrokes
--clearmodifiers       - reset active modifiers (alt, etc) while typing
--args N  - how many arguments to expect in the exec command. This is
            useful for ending an exec and continuing with more xdotool
            commands
--terminator TERM - similar to --args, specifies a terminator that
                    marks the end of 'exec' arguments. This is useful
                    for continuing with more xdotool commands.
-h, --help             - show this help output

I assume the problem is with xdotool. Could you try first on your system ? I have a Gentoo system
and it's possible something in missing in the package. But I have also an Archlinux system and it doesn't work. But I'm not sure that on Arch the git package install the last commit.

Pressing tab no longer selects the next entry in rofi-pass. The issue seems to have been introduced in 01eeb3e. I'm not sure why -kb-row-tab is being set to ''. Is this deliberate? Removing this makes it work again.

Many of my password files have the same two bottom lines:

user: my@email
autotype: user :tab pass :enter

Is there a way to make this the default? I see the addpass command can add these to the files if you use it to generate the password but I want autotype to default to typing my email then the password event if the password file only has one line: the password.

I find myself frequently using rofi-pass to type credentials into things that do not echo (ie, a sudo prompt). I know typing takes a second or two, but because I can't see it working and there is no notification upon completion, I'm never sure when it is done. Generally I end up telling rofi-pass to type the entry and then counting to 5 in my head before hitting return.

It would be nice if rofi-pass could notify the user when typing is complete via notify-send, just like it does when a password has been copied. This should probably be a configurable option that defaults to off, since it would get annoying if you predominantly use rofi-pass to type credentials into things that echo the typing, like most GUI apps.

Example pass information:

John123

---
user: John

When I press autotype into Steam, this happens:

Part of the password is inserted into the account name field.

I frequently want to copy the URL from a pass entry, either to paste it into a specific browser window or to paste it into a different program. This is usually more useful to me than the ability to open the URL in the default browser directly from the entry. Could this be added to rofi-pass? Perhaps with a default mapping of Alt+L (l for link, since u is taken).

Merge several hotkeys into a single "Actions" key. (move, delete, etc)

Reproduce:

1. pass edit PASSNAME
2. add some backslashes
3. use rofi-pass to display the entry

Expected: Correct password shown
Instead: backslashes are interpreted by the shell.

Fix, incoming shortly. :)

Just tried generating a password and it did nothing. Obviously, pwgen was not installed.

I think requirements section should list pwgen. Feel free to note that it is only required if one wants to generate passwords.

Hello.
When the mouse is over the rofi (pass) window when it starts, a password is automatically selected.
It should not autoselect a password.
rofi run does not have this issue, so I believe the issue is in the options sent to rofi.
Thanks to fix this issue.

Currently it appears that rofi-pass copies usernames to the default selection and passwords to both the default and clipboard selections. This was not intuitive to me -- I had to read through the script to see why usernames were not added to my clipboard after I copied them with rofi-pass.

I'm not sure if there is a reason for the difference in behaviour between copying usernames and passwords, but I think it would be nice to have the selection configurable by the user. Something like an xclip_selection setting in the configuration file, with possible options of primary, secondary and clipboard. I would then expect rofi-pass to apply this to both usernames and passwords.

Hi,

thanks a lot for writing rofi-pass! I have an issue with auto-typing passwords via xdotool: In about one third of the cases it types the password or username incorrectly because one character is typed twice. I suspected that this has something to do with keyboard repeat (I have a high repeat rate with a rather short delay, xset r rate 180 60). I added a bit of code to rofi-pass which disables keyboard repeat, types the password with xdotool, and the re-enables keyboard repeat (if it was enabled before). This solves my issue perfectly.

Would you be willing to accept a PR which adds this (and enables it by default)?

BSD grep doesn't contain -P for perl regex. There is a package called gnugrep which installs gnugrep to /usr/local/bin/grep. It would be nice to have rofi detect if you are on freebsd and use the right grep.

Scenario: Open a Roundcube login page in Firefox and focus the username field.

Problem: Upon selecting a password from list of passwords and pressing enter, the focus in Roundcube login page is moved from the username to the password field.

This happens right before selecting a field for rofi-pass to type out.

Here: https://github.com/carnager/rofi-pass/blob/master/rofi-pass#L45, it looks like tab will always be sent if a password has no autotype field, but I think that rofi should detect if a username field exists, and only send a tab if it does.

Here's a use case that works as expected from the current implementation. router-password:

password

---
user: username

rofi-pass would send username\tpassword through xdotool, but if router-password contains:

password

---

rofi-pass would just send \tpassword, which would almost always tab out of the highlighted password field. I believe a good solution is detecting if USERNAME_field is defined, if so, send ${USERNAME_field}\t${password}, if not, just send ${password}

Hello.
Currently, the password is shown in the menu, but I would like to hide it.
Is there an option to never show the password in the menu?
Thanks.

How about reading $BROWSER from ENV or allowing setting BROWSER in the config file?

If neither config file exists, the program prints errors such as:

The script command 'window' has 1 options, but needs 2: <name>:<script>.
Invalid script switcher: window

And won't work overall. As soon as the default config is copied, rofi-pass works fine. I think that after the config files are sourced, default values should be loaded for unset variables. This would prevent confusing errors like the ones shown above. One possible implementation could be to add config lines like this:

USERNAME_field=${USERNAME_field:-'user'}
AUTOTYPE_field=${AUTOTYPE_field:-'autotype'}
...

after sourcing both config files. This will set the fields to their default value only if they are unset. Though I'm not sure how the _rofi command would be implemented this way. Possibly use something like:

declare -f  _rofi || _rofi() {
  rofi -z -i -width 700 -no-levenshtein-sort "$@"
}

Hey! First of all: let me thank you for developing rofi-pass, it's quite useful :) Do you think about tagging releases at some point? It would make for saner packaging (I am packaging this for NixOS) imho. Anyway, keep up the good work!

My habit with previous versions of rofi-pass has been to find the entry I want and hit enter for rofi-pass to autotype it. With rofi-pass v1.4, hitting enter on the entry brings up the new menu asking me what I want to do. I have to hit enter a second time, or I have to hit alt+1 when on the entry.

Personally I'm not a fan of the new menu asking me what I want to do as it requires an extra keystroke. I can see how it would be nice for new users, or for those who do not autotype the majority of the time. Is it possible to make the default entry behaviour configurable? It would be great if the default could remain the same, but I could configure the default action to be autotype instead of menu or something.

I actually see a default_do config option currently that kind of looks like what I am imaging, but it doesn't look like it is being used for anything.

If I want to open an URL from command line e.g. w/ firefox the command is firefox -private-window mysite.com but if in the pass entry when I use url: -private-window mysite.com it will only open a private window w/o the URL pasted and submitted. Using quotation mark does not help.

Sorry rofi cannot understand the key combination: !Return

On current master rofi-pass throws the error message and exits due to the API changes in rofi see davatorium/rofi#290

The last rofi-pass release works tho.

$HOME/.config/rofi-pass is expected to exist, especially with $HOME/.config/rofi-pass/last_used - but the directory is not being autocreated.