Bug #10988
closed
[PATCH] Raise ArgumentError when string passed to String#crypt contains null
Description
Currently String#crypt assumes that it is called on a password typed
by the user, specifically, that it does not contain null character.
When it does:
"abc\0def".crypt("pass") == "abc".crypt("pass")
=> true
This may not be desirable, and developers invoking crypt on strings
that potentially include null may expect different results. To
prevent security failures, this patch changes String#crypt to throw
ArgumentError when invoked on String that includes null character.
https://www.reddit.com/r/netsec/comments/2yugos/null_bytes_bcrypt_problem/
Files
Updated by nobu (Nobuyoshi Nakada) about 9 years ago
I agree this behavior would be better, but maybe a feature request?
Updated by Anonymous almost 9 years ago
- Status changed from Open to Closed
Applied in changeset r50458.
-
string.c (rb_str_crypt): Raise ArgumentError when
string passed to String#crypt contains null.
the patch is from jrusnack .
[Bug #10988] [fix GH-853] -
test/ruby/test_string.rb: test for above.
Updated by usa (Usaku NAKAMURA) almost 9 years ago
- Backport changed from 2.0.0: UNKNOWN, 2.1: UNKNOWN, 2.2: UNKNOWN to 2.0.0: WONTFIX, 2.1: WONTFIX, 2.2: UNKNOWN
Updated by nagachika (Tomoyuki Chikanaga) almost 9 years ago
- Backport changed from 2.0.0: WONTFIX, 2.1: WONTFIX, 2.2: UNKNOWN to 2.0.0: WONTFIX, 2.1: WONTFIX, 2.2: WONTFIX