https://redmine.ruby-lang.org/https://redmine.ruby-lang.org/favicon.ico?17113305112018-07-26T03:21:59ZRuby Issue Tracking SystemRuby master - Feature #14940: Support bcrypt password hashing in webrickhttps://redmine.ruby-lang.org/issues/14940?journal_id=731382018-07-26T03:21:59Znormalperson (Eric Wong)normalperson@yhbt.net
<ul><li><strong>Status</strong> changed from <i>Open</i> to <i>Closed</i></li></ul><p>Applied in changeset trunk|r64060.</p>
<hr>
<p>webrick: Support bcrypt password hashing</p>
<p>This adds a password_hash keyword argument to<br>
WEBrick::HTTPAuth::Htpasswd#initialize. If set to :bcrypt, it<br>
will create bcrypt hashes instead of crypt hashes, and will<br>
raise an exception if the .htpasswd file uses crypt hashes.</p>
<p>If :bcrypt is used, then instead of calling<br>
BasicAuth.make_passwd (which uses crypt),<br>
WEBrick::HTTPAuth::Htpasswd#set_passwd will set the bcrypt<br>
password directly. It isn't possible to change the<br>
make_passwd API to accept the password hash format, as that<br>
would break configurations who use Htpasswd#auth_type= to set<br>
a custom auth_type.</p>
<p>This modifies WEBrick::HTTPAuth::BasicAuth to handle checking<br>
both crypt and bcrypt hashes.</p>
<p>There are commented out requires for 'string/crypt', to handle<br>
when String#crypt is deprecated and the undeprecated version is<br>
moved to a gem.</p>
<p>There is also a commented out warning for the case when<br>
the password_hash keyword is not specified and 'string/crypt'<br>
cannot be required. I think the warning makes sense to nudge<br>
users to using bcrypt.</p>
<p>I've updated the tests to test nil, :crypt, and :bcrypt values<br>
for the password_hash keyword, skipping the bcrypt tests if the<br>
bcrypt library cannot be required.</p>
<p><a href="/issues/14940">[ruby-core:88111]</a> [Feature <a class="issue tracker-2 status-5 priority-4 priority-default closed" title="Feature: Support bcrypt password hashing in webrick (Closed)" href="https://redmine.ruby-lang.org/issues/14940">#14940</a>]</p>
<p>From: Jeremy Evans <a href="mailto:code@jeremyevans.net" class="email">code@jeremyevans.net</a></p> Ruby master - Feature #14940: Support bcrypt password hashing in webrickhttps://redmine.ruby-lang.org/issues/14940?journal_id=731392018-07-26T03:32:40Znormalperson (Eric Wong)normalperson@yhbt.net
<ul></ul><p>Thanks, applied as r64060.</p>
<p>I needed to add RUBYLIB=/path/to/bcrypt/lib to my make command<br>
line to test bcrypt; but I suppose that's fine</p> Ruby master - Feature #14940: Support bcrypt password hashing in webrickhttps://redmine.ruby-lang.org/issues/14940?journal_id=781202019-05-22T05:03:57Zakr (Akira Tanaka)akr@fsij.org
<ul><li><strong>Related to</strong> <i><a class="issue tracker-2 status-6 priority-4 priority-default closed" href="/issues/14915">Feature #14915</a>: Deprecate String#crypt</i> added</li></ul>