Project

General

Profile

Actions

Bug #10988

closed

[PATCH] Raise ArgumentError when string passed to String#crypt contains null

Added by jrusnack (Jan Rusnacko) almost 10 years ago. Updated over 9 years ago.

Status:
Closed
Assignee:
-
Target version:
-
[ruby-core:<unknown>]

Description

Currently String#crypt assumes that it is called on a password typed
by the user, specifically, that it does not contain null character.
When it does:

"abc\0def".crypt("pass") == "abc".crypt("pass")
=> true

This may not be desirable, and developers invoking crypt on strings
that potentially include null may expect different results. To
prevent security failures, this patch changes String#crypt to throw
ArgumentError when invoked on String that includes null character.

https://www.reddit.com/r/netsec/comments/2yugos/null_bytes_bcrypt_problem/

Also PR: https://github.com/ruby/ruby/pull/853


Files

Actions #1

Updated by nobu (Nobuyoshi Nakada) almost 10 years ago

I agree this behavior would be better, but maybe a feature request?

Actions #2

Updated by Anonymous over 9 years ago

  • Status changed from Open to Closed

Applied in changeset r50458.


  • string.c (rb_str_crypt): Raise ArgumentError when
    string passed to String#crypt contains null.
    the patch is from jrusnack .
    [Bug #10988] [fix GH-853]

  • test/ruby/test_string.rb: test for above.

Updated by usa (Usaku NAKAMURA) over 9 years ago

  • Backport changed from 2.0.0: UNKNOWN, 2.1: UNKNOWN, 2.2: UNKNOWN to 2.0.0: WONTFIX, 2.1: WONTFIX, 2.2: UNKNOWN

Updated by nagachika (Tomoyuki Chikanaga) over 9 years ago

  • Backport changed from 2.0.0: WONTFIX, 2.1: WONTFIX, 2.2: UNKNOWN to 2.0.0: WONTFIX, 2.1: WONTFIX, 2.2: WONTFIX
Actions

Also available in: Atom PDF

Like0
Like0Like0Like0Like0