Project

General

Profile

Download (7.48 KB)

Feature #14915 » 0001-Deprecate-String-crypt.patch

jeremyevans0 (Jeremy Evans), 07/26/2018 07:42 PM

View differences:

string.c
* salt string. While the format and the result are system and
* implementation dependent, using a salt matching the regular
* expression <code>\A[a-zA-Z0-9./]{2}</code> should be valid and
* safe on any platform, in which only the first two characters are
* significant.
* safe on most platforms, in which only the first two characters are
* significant. However, this uses DES-crypt, an insecure form of
* password hashing.
*
* This method is for use in system specific scripts, so if you want
* a cross-platform hash function consider using Digest or OpenSSL
* instead.
*
* This method is deprecated, install the string-crypt gem and
* require 'string/crypt' to continue using it.
*/
static VALUE
rb_str_crypt(VALUE str, VALUE salt)
{
rb_warn("The String#crypt method is deprecated. " \
"Install the string-crypt gem and require \"string/crypt\" " \
"to continue using String#crypt.");
#ifdef HAVE_CRYPT_R
VALUE databuf;
struct crypt_data *data;
test/ruby/test_m17n_comb.rb
end
end
private def crypt_result(str, salt)
assert_warn(/The String#crypt core method is deprecated/) do
str.crypt(salt)
end
end
private def confirm_crypt_result(str, salt)
if b(salt).length < 2
assert_raise(ArgumentError) { str.crypt(salt) }
assert_raise(ArgumentError) { crypt_result(str, salt) }
return
end
t = str.crypt(salt)
assert_equal(b(str).crypt(b(salt)), t, "#{encdump(str)}.crypt(#{encdump(salt)})")
t = crypt_result(str, salt)
assert_equal(crypt_result(b(str), b(salt)), t, "#{encdump(str)}.crypt(#{encdump(salt)})")
assert_encoding('ASCII-8BIT', t.encoding)
end
test/ruby/test_string.rb
assert_raise(ArgumentError) { "foo".count }
end
def crypt(str, salt)
assert_warn(/The String#crypt core method is deprecated/) do
str.crypt(salt)
end
end
def test_crypt
if RubyVM::MJIT.enabled?
skip "This sometimes fails with -DMJIT_FORCE_ENABLE. This seems important to be fixed..."
end
assert_equal(S('aaGUC/JkO9/Sc'), S("mypassword").crypt(S("aa")))
assert_not_equal(S('aaGUC/JkO9/Sc'), S("mypassword").crypt(S("ab")))
assert_raise(ArgumentError) {S("mypassword").crypt(S(""))}
assert_raise(ArgumentError) {S("mypassword").crypt(S("\0a"))}
assert_raise(ArgumentError) {S("mypassword").crypt(S("a\0"))}
assert_raise(ArgumentError) {S("poison\u0000null").crypt(S("aa"))}
assert_equal(S('aaGUC/JkO9/Sc'), crypt(S("mypassword"), S("aa")))
assert_not_equal(S('aaGUC/JkO9/Sc'), crypt(S("mypassword"), S("ab")))
assert_raise(ArgumentError) {crypt(S("mypassword"), S(""))}
assert_raise(ArgumentError) {crypt(S("mypassword"), S("\0a"))}
assert_raise(ArgumentError) {crypt(S("mypassword"), S("a\0"))}
assert_raise(ArgumentError) {crypt(S("poison\u0000null"), S("aa"))}
[Encoding::UTF_16BE, Encoding::UTF_16LE,
Encoding::UTF_32BE, Encoding::UTF_32LE].each do |enc|
assert_raise(ArgumentError) {S("mypassword").crypt(S("aa".encode(enc)))}
assert_raise(ArgumentError) {S("mypassword".encode(enc)).crypt(S("aa"))}
assert_raise(ArgumentError) {crypt(S("mypassword"), S("aa".encode(enc)))}
assert_raise(ArgumentError) {crypt(S("mypassword".encode(enc)), S("aa"))}
end
@cls == String and
assert_no_memory_leak([], 's = ""', "#{<<~"begin;"}\n#{<<~'end;'}")
begin;
1000.times { s.crypt(-"..").clear }
1000.times { crypt(s, -"..").clear }
end;
end
test/webrick/test_httpauth.rb
next
end
if hash_algo == :bcrypt
warning = /\A\z/
else
warning = /The String#crypt core method is deprecated/
end
define_method(:"test_basic_auth_htpasswd_#{hash_algo}") do
log_tester = lambda {|log, access_log|
log.reject! {|line| /\A\s*\z/ =~ line }
......
Tempfile.create("test_webrick_auth") {|tmpfile|
tmpfile.close
tmp_pass = WEBrick::HTTPAuth::Htpasswd.new(tmpfile.path, password_hash: hash_algo)
tmp_pass.set_passwd(realm, "webrick", "supersecretpassword")
tmp_pass.set_passwd(realm, "foo", "supersecretpassword")
assert_warn(warning) do
tmp_pass.set_passwd(realm, "webrick", "supersecretpassword")
tmp_pass.set_passwd(realm, "foo", "supersecretpassword")
end
tmp_pass.flush
htpasswd = WEBrick::HTTPAuth::Htpasswd.new(tmpfile.path, password_hash: hash_algo)
......
}
http = Net::HTTP.new(addr, port)
g = Net::HTTP::Get.new(path)
g.basic_auth("webrick", "supersecretpassword")
http.request(g){|res| assert_equal("hoge", res.body, log.call)}
g.basic_auth("webrick", "not super")
http.request(g){|res| assert_not_equal("hoge", res.body, log.call)}
assert_warn(warning) do
g.basic_auth("webrick", "supersecretpassword")
http.request(g){|res| assert_equal("hoge", res.body, log.call)}
g.basic_auth("webrick", "not super")
http.request(g){|res| assert_not_equal("hoge", res.body, log.call)}
end
}
}
end
......
Tempfile.create("test_webrick_auth") {|tmpfile|
tmpfile.close
tmp_pass = WEBrick::HTTPAuth::Htpasswd.new(tmpfile.path, password_hash: hash_algo)
tmp_pass.set_passwd(realm, "webrick", "supersecretpassword")
tmp_pass.set_passwd(realm, "foo", "supersecretpassword")
assert_warn(warning) do
tmp_pass.set_passwd(realm, "webrick", "supersecretpassword")
tmp_pass.set_passwd(realm, "foo", "supersecretpassword")
end
tmp_pass.flush
htpasswd = WEBrick::HTTPAuth::Htpasswd.new(tmpfile.path, password_hash: hash_algo)
......
}
http = Net::HTTP.new(addr, port)
g = Net::HTTP::Get.new(path)
g.basic_auth("foo\ebar", "passwd")
assert_warn(warning) do
g.basic_auth("foo\ebar", "passwd")
end
http.request(g){|res| assert_not_equal("hoge", res.body, log.call) }
}
}
(2-2/5)