LibCore: Make get_password return SecretString instead of String

We shouldn't let secrets sit around in memory, as they could potentially
be retrieved by an attacker, or left in memory during a core dump.

Userland/Libraries/LibCore/GetPassword.cpp

@@ -13,7 +13,7 @@
 
 namespace Core {
 
-Result<String, OSError> get_password(const StringView& prompt)
+Result<SecretString, OSError> get_password(const StringView& prompt)
 {
     if (write(STDOUT_FILENO, prompt.characters_without_null_termination(), prompt.length()) < 0)
         return OSError(errno);
@@ -44,8 +44,6 @@ Result<String, OSError> get_password(const StringView& prompt)
     // Remove trailing '\n' read by getline().
     password[line_length - 1] = '\0';
 
-    String s(password);
+    return SecretString::take_ownership(password, line_length);
-    free(password);
-    return s;
 }
 }

Userland/Libraries/LibCore/GetPassword.h

@@ -9,9 +9,10 @@
 #include <AK/OSError.h>
 #include <AK/Result.h>
 #include <AK/String.h>
+#include <LibCore/SecretString.h>
 
 namespace Core {
 
-Result<String, OSError> get_password(const StringView& prompt = "Password: ");
+Result<SecretString, OSError> get_password(const StringView& prompt = "Password: "sv);
 
 }

Userland/Utilities/passwd.cpp

@@ -5,6 +5,7 @@
  * SPDX-License-Identifier: BSD-2-Clause
  */
 
+#include <AK/ScopeGuard.h>
 #include <LibCore/Account.h>
 #include <LibCore/ArgsParser.h>
 #include <LibCore/GetPassword.h>
@@ -114,7 +115,7 @@ int main(int argc, char** argv)
             return 1;
         }
 
-        if (new_password.value() != new_password_retype.value()) {
+        if (new_password.value().view() != new_password_retype.value().view()) {
             warnln("Sorry, passwords don't match.");
             warnln("Password for user {} unchanged.", target_account.username());
             return 1;

Userland/Utilities/pls.cpp

@@ -5,6 +5,7 @@
  * SPDX-License-Identifier: BSD-2-Clause
  */
 
+#include <AK/ScopeGuard.h>
 #include <LibCore/Account.h>
 #include <LibCore/ArgsParser.h>
 #include <LibCore/GetPassword.h>

Userland/Utilities/su.cpp

@@ -4,6 +4,7 @@
  * SPDX-License-Identifier: BSD-2-Clause
  */
 
+#include <AK/ScopeGuard.h>
 #include <LibCore/Account.h>
 #include <LibCore/ArgsParser.h>
 #include <LibCore/GetPassword.h>

Userland/Utilities/test-imap.cpp

@@ -22,7 +22,7 @@ int main(int argc, char** argv)
     bool tls { false };
 
     String username;
-    String password;
+    Core::SecretString password;
 
     bool interactive_password;
 
@@ -40,17 +40,17 @@ int main(int argc, char** argv)
             warnln("{}", password_or_err.error().string());
             return 1;
         }
-        password = password_or_err.value();
+        password = password_or_err.release_value();
     } else {
         auto standard_input = Core::File::standard_input();
-        password = standard_input->read_all();
+        password = Core::SecretString::take_ownership(standard_input->read_all());
     }
 
     Core::EventLoop loop;
     auto client = IMAP::Client(host, port, tls);
     client.connect()->await();
 
-    auto response = client.login(username, password)->await().release_value();
+    auto response = client.login(username, password.view())->await().release_value();
     outln("[LOGIN] Login response: {}", response.response_text());
 
     response = move(client.send_simple_command(IMAP::CommandType::Capability)->await().value().get<IMAP::SolidResponse>());