makeself --ssl-passwd usage exposed in header --info

[arrjay]

currently, any password supplied using --ssl-passwd when creating a makeself archive is exposed in the header --info block with the build commands. problem can be sidestepped by using --ssl-pass-src and a temporary file instead. should probably either rework the build info to drop/redact that argument or stop supporting --ssl-passwd

[Saruspete]

Thanks for this info. I never bothered to read the source of an encrypted, but this is indeed... well, quite decieving.

Instead of removing it, the password should be filtered or replaced afterwards in the final archive.

Either replace your password:

sed -i archive.run  -e 's/mypassword/**SECRET**/'

or a more generic approach (only tested with GNU sed) to replace most chars after --ssl-passwd:

sed -i archive.run -Ee '/--ssl-passwd/!b;n;s/[a-zA-Z0-9]+/**REMOVED**/'

Or better, do the filtering during the archive creation by makeself.sh with something like this:

for f in "${1+"$@"}"; do
    if test x$secretnext = "1"; then
        f="**REDACTED**"
        secretnext=0
    fi
    MS_COMMAND="$MS_COMMAND \\\\
    \\\"$f\\\""
    if test x$f = x"--ssl-passwd"; then
        secretnext=1
    fi
done