Project

General

Profile

Feature #14915 ยป 0001-Deprecate-String-crypt.patch

jeremyevans0 (Jeremy Evans), 07/26/2018 07:42 PM

View differences:

string.c
9205 9205
 *  salt string.  While the format and the result are system and
9206 9206
 *  implementation dependent, using a salt matching the regular
9207 9207
 *  expression <code>\A[a-zA-Z0-9./]{2}</code> should be valid and
9208
 *  safe on any platform, in which only the first two characters are
9209
 *  significant.
9208
 *  safe on most platforms, in which only the first two characters are
9209
 *  significant.  However, this uses DES-crypt, an insecure form of
9210
 *  password hashing.
9210 9211
 *
9211 9212
 *  This method is for use in system specific scripts, so if you want
9212 9213
 *  a cross-platform hash function consider using Digest or OpenSSL
9213 9214
 *  instead.
9215
 *
9216
 *  This method is deprecated, install the string-crypt gem and
9217
 *  require 'string/crypt' to continue using it.
9214 9218
 */
9215 9219

  
9216 9220
static VALUE
9217 9221
rb_str_crypt(VALUE str, VALUE salt)
9218 9222
{
9223
    rb_warn("The String#crypt method is deprecated. " \
9224
	"Install the string-crypt gem and require \"string/crypt\" " \
9225
	"to continue using String#crypt.");
9226

  
9219 9227
#ifdef HAVE_CRYPT_R
9220 9228
    VALUE databuf;
9221 9229
    struct crypt_data *data;
test/ruby/test_m17n_comb.rb
771 771
    end
772 772
  end
773 773

  
774
  private def crypt_result(str, salt)
775
    assert_warn(/The String#crypt core method is deprecated/) do
776
      str.crypt(salt)
777
    end
778
  end
779

  
774 780
  private def confirm_crypt_result(str, salt)
775 781
    if b(salt).length < 2
776
      assert_raise(ArgumentError) { str.crypt(salt) }
782
      assert_raise(ArgumentError) { crypt_result(str, salt) }
777 783
      return
778 784
    end
779
    t = str.crypt(salt)
780
    assert_equal(b(str).crypt(b(salt)), t, "#{encdump(str)}.crypt(#{encdump(salt)})")
785
    t = crypt_result(str, salt)
786
    assert_equal(crypt_result(b(str), b(salt)), t, "#{encdump(str)}.crypt(#{encdump(salt)})")
781 787
    assert_encoding('ASCII-8BIT', t.encoding)
782 788
  end
783 789

  
test/ruby/test_string.rb
646 646
    assert_raise(ArgumentError) { "foo".count }
647 647
  end
648 648

  
649
  def crypt(str, salt)
650
    assert_warn(/The String#crypt core method is deprecated/) do
651
      str.crypt(salt)
652
    end
653
  end
654

  
649 655
  def test_crypt
650 656
    if RubyVM::MJIT.enabled?
651 657
      skip "This sometimes fails with -DMJIT_FORCE_ENABLE. This seems important to be fixed..."
652 658
    end
653 659

  
654
    assert_equal(S('aaGUC/JkO9/Sc'), S("mypassword").crypt(S("aa")))
655
    assert_not_equal(S('aaGUC/JkO9/Sc'), S("mypassword").crypt(S("ab")))
656
    assert_raise(ArgumentError) {S("mypassword").crypt(S(""))}
657
    assert_raise(ArgumentError) {S("mypassword").crypt(S("\0a"))}
658
    assert_raise(ArgumentError) {S("mypassword").crypt(S("a\0"))}
659
    assert_raise(ArgumentError) {S("poison\u0000null").crypt(S("aa"))}
660
    assert_equal(S('aaGUC/JkO9/Sc'), crypt(S("mypassword"), S("aa")))
661
    assert_not_equal(S('aaGUC/JkO9/Sc'), crypt(S("mypassword"), S("ab")))
662
    assert_raise(ArgumentError) {crypt(S("mypassword"), S(""))}
663
    assert_raise(ArgumentError) {crypt(S("mypassword"), S("\0a"))}
664
    assert_raise(ArgumentError) {crypt(S("mypassword"), S("a\0"))}
665
    assert_raise(ArgumentError) {crypt(S("poison\u0000null"), S("aa"))}
660 666
    [Encoding::UTF_16BE, Encoding::UTF_16LE,
661 667
     Encoding::UTF_32BE, Encoding::UTF_32LE].each do |enc|
662
      assert_raise(ArgumentError) {S("mypassword").crypt(S("aa".encode(enc)))}
663
      assert_raise(ArgumentError) {S("mypassword".encode(enc)).crypt(S("aa"))}
668
      assert_raise(ArgumentError) {crypt(S("mypassword"), S("aa".encode(enc)))}
669
      assert_raise(ArgumentError) {crypt(S("mypassword".encode(enc)), S("aa"))}
664 670
    end
665 671

  
666 672
    @cls == String and
667 673
      assert_no_memory_leak([], 's = ""', "#{<<~"begin;"}\n#{<<~'end;'}")
668 674
    begin;
669
      1000.times { s.crypt(-"..").clear  }
675
      1000.times { crypt(s, -"..").clear  }
670 676
    end;
671 677
  end
672 678

  
test/webrick/test_httpauth.rb
69 69
      next
70 70
    end
71 71

  
72
    if hash_algo == :bcrypt
73
      warning = /\A\z/
74
    else
75
      warning = /The String#crypt core method is deprecated/
76
    end
77

  
72 78
    define_method(:"test_basic_auth_htpasswd_#{hash_algo}") do
73 79
      log_tester = lambda {|log, access_log|
74 80
        log.reject! {|line| /\A\s*\z/ =~ line }
......
89 95
        Tempfile.create("test_webrick_auth") {|tmpfile|
90 96
          tmpfile.close
91 97
          tmp_pass = WEBrick::HTTPAuth::Htpasswd.new(tmpfile.path, password_hash: hash_algo)
92
          tmp_pass.set_passwd(realm, "webrick", "supersecretpassword")
93
          tmp_pass.set_passwd(realm, "foo", "supersecretpassword")
98
	  assert_warn(warning) do
99
            tmp_pass.set_passwd(realm, "webrick", "supersecretpassword")
100
            tmp_pass.set_passwd(realm, "foo", "supersecretpassword")
101
	  end
94 102
          tmp_pass.flush
95 103

  
96 104
          htpasswd = WEBrick::HTTPAuth::Htpasswd.new(tmpfile.path, password_hash: hash_algo)
......
110 118
          }
111 119
          http = Net::HTTP.new(addr, port)
112 120
          g = Net::HTTP::Get.new(path)
113
          g.basic_auth("webrick", "supersecretpassword")
114
          http.request(g){|res| assert_equal("hoge", res.body, log.call)}
115
          g.basic_auth("webrick", "not super")
116
          http.request(g){|res| assert_not_equal("hoge", res.body, log.call)}
121
	  assert_warn(warning) do
122
            g.basic_auth("webrick", "supersecretpassword")
123
            http.request(g){|res| assert_equal("hoge", res.body, log.call)}
124
            g.basic_auth("webrick", "not super")
125
            http.request(g){|res| assert_not_equal("hoge", res.body, log.call)}
126
	  end
117 127
        }
118 128
      }
119 129
    end
......
131 141
        Tempfile.create("test_webrick_auth") {|tmpfile|
132 142
          tmpfile.close
133 143
          tmp_pass = WEBrick::HTTPAuth::Htpasswd.new(tmpfile.path, password_hash: hash_algo)
134
          tmp_pass.set_passwd(realm, "webrick", "supersecretpassword")
135
          tmp_pass.set_passwd(realm, "foo", "supersecretpassword")
144
	  assert_warn(warning) do
145
            tmp_pass.set_passwd(realm, "webrick", "supersecretpassword")
146
            tmp_pass.set_passwd(realm, "foo", "supersecretpassword")
147
	  end
136 148
          tmp_pass.flush
137 149

  
138 150
          htpasswd = WEBrick::HTTPAuth::Htpasswd.new(tmpfile.path, password_hash: hash_algo)
......
148 160
          }
149 161
          http = Net::HTTP.new(addr, port)
150 162
          g = Net::HTTP::Get.new(path)
151
          g.basic_auth("foo\ebar", "passwd")
163
	  assert_warn(warning) do
164
            g.basic_auth("foo\ebar", "passwd")
165
	  end
152 166
          http.request(g){|res| assert_not_equal("hoge", res.body, log.call) }
153 167
        }
154 168
      }
155
-