Bug #10988: [PATCH] Raise ArgumentError when string passed to String#crypt contains null - Ruby master - Ruby Issue Tracking System

Actions

Copy link

Bug #10988

closed

[PATCH] Raise ArgumentError when string passed to String#crypt contains null

Added by jrusnack (Jan Rusnacko) over 9 years ago. Updated over 9 years ago.

Status:

Closed

Assignee:

Target version:

ruby -v:

2.3.0dev

Backport:

2.0.0: WONTFIX, 2.1: WONTFIX, 2.2: WONTFIX

[ruby-core:<unknown>]

Description

Currently String#crypt assumes that it is called on a password typed
by the user, specifically, that it does not contain null character.
When it does:

"abc\0def".crypt("pass") == "abc".crypt("pass")
=> true

This may not be desirable, and developers invoking crypt on strings
that potentially include null may expect different results. To
prevent security failures, this patch changes String#crypt to throw
ArgumentError when invoked on String that includes null character.

https://www.reddit.com/r/netsec/comments/2yugos/null_bytes_bcrypt_problem/

Also PR: https://github.com/ruby/ruby/pull/853

Files

0001-Raise-ArgumentError-when-string-passed-to-String-cry.patch (1.87 KB) 0001-Raise-ArgumentError-when-string-passed-to-String-cry.patch

jrusnack (Jan Rusnacko), 03/20/2015 01:32 PM