Project

General

Profile

Actions

Bug #10988

closed

[PATCH] Raise ArgumentError when string passed to String#crypt contains null

Added by jrusnack (Jan Rusnacko) over 9 years ago. Updated over 9 years ago.

Status:
Closed
Assignee:
-
Target version:
-
[ruby-core:<unknown>]

Description

Currently String#crypt assumes that it is called on a password typed
by the user, specifically, that it does not contain null character.
When it does:

"abc\0def".crypt("pass") == "abc".crypt("pass")
=> true

This may not be desirable, and developers invoking crypt on strings
that potentially include null may expect different results. To
prevent security failures, this patch changes String#crypt to throw
ArgumentError when invoked on String that includes null character.

https://www.reddit.com/r/netsec/comments/2yugos/null_bytes_bcrypt_problem/

Also PR: https://github.com/ruby/ruby/pull/853


Files

Actions

Also available in: Atom PDF

Like0
Like0Like0Like0Like0