Password History #628
Closed
Password History #628
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Filippo Cucchetto filippocucchetto@gmail.com
Signed-off-by: Filippo Cucchetto filippocucchetto@gmail.com
A user reported that using Server secure note type resulted in some odd stuff showing up in the plugin vault. This note type has a "Username" and "Password" field, but we already use that to map to account->username and account->password. When collapsing, the contents of those fields gets copied back into the note, along with any fields in the fields list. Unfortunately, we *also* copied in the empty duplicate Username/Password fields from the fields, resulting in a note with extra fields that confused the plugin. Fix this by not creating the duplicate fields in the fields list in the first place; then only the version in the account will get copied into the note. Signed-off-by: Bob Copeland <copeland@lastpass.com>
Similarly to account_is_group, add a function that documents the special url format denoting secure note types rather than open-coding the comparison. Signed-off-by: Bob Copeland <copeland@lastpass.com>
It was reported that editing a secure note to rename it doesn't work, while it does work for accounts. The reason is we only apply name changes only if the user had specified `--name`. But this is a historical limitation, e.g. when using the "any" edit type it makes sense to retain username edits, so just do it always since we always have a copy of the original account name in any case. Fixes lastpass#106. Signed-off-by: Bob Copeland <copeland@lastpass.com>
I stumbled across a segfault doing 'lpass ls -l' -- it's possible for an account not to have an mtime at all, so don't crash in this case. Signed-off-by: Bob Copeland <copeland@lastpass.com>
There is more than one implementation now for a simple string buffer object (string + allocated size + used length), so standardize on the implementation in blob.c. Add append_char (used by import) and append_str (to be used later) to round out the common operations we will need. This also fixes an off-by-one in append_char. Signed-off-by: Bob Copeland <copeland@lastpass.com>
We occasionally get requests to add new fields to ls output
or somehow customize what stuff gets shown to make things
better for humans or for screen scrapers.
Rather than trying to accomodate everyone's use case, add
a new format library like printf, so that you can (eventually)
do things like
./lpass ls --format='%N %i %u'
or
./lpass show --format='%fN'
...or whatever. I haven't really settled on the right format
strings to use so this is still a WIP, but currently it can
handle generating the existing (non-color) ls format.
Signed-off-by: Bob Copeland <copeland@lastpass.com>
The format string only needs to be created once instead of in a loop, and using xasprintf simplifies things a bit, so do that. Signed-off-by: Bob Copeland <copeland@lastpass.com>
This drops a bit of code duplication by using the same format string for both color-less and tree mode output. The only difference in the format string between the two is whether the fullname or short acpcount name is used; we can go ahead and embed the terminal color codes which will simply get stripped in terminal_printf. Signed-off-by: Bob Copeland <copeland@lastpass.com>
This adds the ability to supply a custom format string to ls.
This might be useful for certain scripting tasks; e.g. you can
save a sed/awk pipeline when grabbing an id by doing:
lpass ls --format=%i account-name
Signed-off-by: Bob Copeland <copeland@lastpass.com>
This adds some infrastructure useful for cmd-show:
- You can use '/' after % to include a slash only if the expansion
of the rest of the placeholder is non-empty
- group and shared folder name gained their own placeholders
Thus showing a path-like representation of a name can be done
like "%/S%/g%Nf".
Also, format_field function was added which formats a name/value pair
("%fn", "%fv" resp.). It also takes an account so that it can format
any of the existing account fields as needed.
Signed-off-by: Bob Copeland <copeland@lastpass.com>
This adds the ability to specify the field format used with command-show
using "--format", and the title format with "--title-format".
Just as a fairly contrived example, you can get almost-json like this:
echo "{"; \
./lpass show --title-format=' "title": "%/S%/g%Ns",' \
--format=' "%fn": "%fv",' foo; \
echo "}"
Signed-off-by: Bob Copeland <copeland@lastpass.com>
Group the placeholders by type of object being printed (so "%aX" for account). This reduces pollution of the top-level namespace a bit so that we can use more natural characters. Signed-off-by: Bob Copeland <copeland@lastpass.com>
This uses the new format string infrastructure to display
just fieldnames in a subshell so that the fields in a specific
account can be tab-completed. In order for lpass to know which
account is being queried, you have to specify account name first,
like:
lpass show foo --field [tab]
There's a slight annoyance that title cannot go away completely,
so post-process with egrep to drop those.
Signed-off-by: Bob Copeland <copeland@lastpass.com>
$(wildcard) does not guarantee a sorted list, which causes also a non-deterministic order while linking the binary. To support reproducible building, the list is explicitely sorted. Signed-off-by: Reiner Herrmann <reiner@reiner-h.de>
Sort list of source files
Builds with CMake would link against the wrong (apple-supplied) version of openssl; make sure we use the one installed by brew. Pass -DOPENSSL_INCLUDE_DIR to use something else. Signed-off-by: Bob Copeland <copeland@lastpass.com>
Add the install-doc target to install the manpage which was present in the original Makefile but missing here. Signed-off-by: Bob Copeland <copeland@lastpass.com>
"cmake ." in order to get a Makefile for make. Signed-off-by: Bob Copeland <copeland@lastpass.com>
Signed-off-by: Bob Copeland <copeland@lastpass.com>
This is needed on some Linux platforms for error-free build. Signed-off-by: Bob Copeland <copeland@lastpass.com>
If we can determine the destination directory, install bash completions file. Signed-off-by: Bob Copeland <copeland@lastpass.com>
CMake complains when building in cygwin unless you tell it whether or not your project needs win32. So tell it. Signed-off-by: Bob Copeland <copeland@lastpass.com>
Signed-off-by: Bob Copeland <copeland@lastpass.com>
Signed-off-by: Bob Copeland <copeland@lastpass.com>
For some use cases we may need to ask the user for one of several options, not just yes or no. Add a function that implements this, taking the charset of options as a string and returning the selected option. Rewrite ask_yes_no to use the new function. Signed-off-by: Bob Copeland <copeland@lastpass.com>
This change adds the ability to retrieve attachments for secure notes. The `lpass show` command now shows attachment ids and filenames if a secure note has attachments. The attachment id can then be passed to `lpass show acct --attach=attachid` which will either print the attachment (if non-binary) or offer the ability to save. Signed-off-by: Bob Copeland <copeland@lastpass.com>
In OpenSSL 1.1+, EVP_CIPHER_CTX can no longer be declared on the stack; instead you have to declare a pointer and then use _new()/_free() to allocate or free it. These functions continue to work on older OpenSSL, so switch to the new method. Signed-off-by: Bob Copeland <copeland@lastpass.com>
Signed-off-by: Wesley Schwengle <wesley@schwengle.net>
Change credits to Wesley Schwengle for 1.3.3 release
Refactor agent.c for socket initialisation by @waterkip
add lastpass attachment export script by @mindrunner
wl-copy appears to have become the de-facto standard command line program for copying to the clipboard on Wayland, with multiple implementations of the same interface[1][2]. I think it makes sense for wl-copy to be preferred over xclip if both are installed, since Wayland should generally be preferred over X11. [1]: https://github.com/bugaevc/wl-clipboard [2]: https://github.com/YaLTeR/wl-clipboard-rs Signed-off-by: Alyssa Ross <hi@alyssa.is>
MS Authenticator is currently incompatible with this tool (lastpass#442). I noticed that MFA errors are mapped in an array of `multifactor_type`, which I've updated with the appropriate error codes for MS Authenticator (tested running through a debugger). Signed-off-by: John Hammerlund johnhammerlund@gmail.com
clipboard: add wl-copy support
…-patch Update README for 2019
Add MFA support for Microsoft Authenticator
Signed-off-by: Bogi Napoleon Wennerstrøm <bogi.wennerstrom@gmail.com>
…mand Signed-off-by: Bogi Napoleon Wennerstrøm <bogi.wennerstrom@gmail.com>
Signed-off-by: Bogi Napoleon Wennerstrøm <bogi.wennerstrom@gmail.com>
|
Hello, given the recent breach this Pull request is suddenly important. LastPass, can you please get this verified and merged? |
|
In case somebody else end up on this PR, I forked it and added support for shared folders (it's hacky) and included a script to download the entire password history: #245 (comment) |
|
Hi @Fire-Dragon-DoL and happy holidays 🎉 Thanks for your interest in this PR. Unfortunately, LastPass very rarely commits to this repo anymore. I wouldn't get my hopes up if I were you. P.S.: The link in your comment (https://github.com/Fire-Dragon-DoL/lastpass-cli-history) is dead. Maybe the repo is private? |
Yes! Thank you for the response, I made it public. As I reported, it's hacky, I don't use C often, plus reverse-engineering lastpass wasn't really my plan for the holidays, so I brought it where it was functional enough for me to run the backup. |
This was referenced Jan 16, 2023
|
@Fire-Dragon-DoL maybe we can combine forces: https://github.com/lastpass-cli-fork/lastpass-cli |
Appreciate the offer, but I performed my migration and I'm ready to move on, I don't plan to continue using LastPass for the foreseeable future. |
|
@mateusmartins-lp It's good 'open source courtesy' to give context when closing an issue/PR, not just closing it with no explanation. |
|
|
Regrettably, your PR submission was unintentionally closed during an operation, before we could complete our review and respond accordingly. Unable to revert it to 'Open' status, we invite you to resubmit your contribution at your earliest convenience. We apologize for this mishap. Rest assured, we value all contributions and remain dedicated to providing transparency and closure to the community. Thank you for your understanding. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR introduces a new subcommand with the ability to fetch password history from the API. This closes #245.
Discussion points:
As far as I know, it is not possible to retrieve the history from the cache, so a call is needed for every password history retrieval. Adding this as an option to
showorlsseemed like it would produce a lot of unnecessary calls, which is why it was made into a new subcommand.In order to parse the results from the API, a third-party library JSON parser was added (tiny-json). However, given that the current requirements only include JSON types of objects, arrays, and strings, there might be room for optimization.