* [ruby-core:68577] [Ruby trunk - Bug #10988] [Open] [PATCH] Raise ArgumentError when string passed to String#crypt contains null
[not found] <redmine.issue-10988.20150320133542@ruby-lang.org>
@ 2015-03-20 13:35 ` jrusnack
2015-03-21 6:21 ` [ruby-core:68586] [Ruby trunk - Bug #10988] " nobu
` (2 subsequent siblings)
3 siblings, 0 replies; 4+ messages in thread
From: jrusnack @ 2015-03-20 13:35 UTC (permalink / raw)
To: ruby-core
Issue #10988 has been reported by Jan Rusnacko.
----------------------------------------
Bug #10988: [PATCH] Raise ArgumentError when string passed to String#crypt contains null
https://bugs.ruby-lang.org/issues/10988
* Author: Jan Rusnacko
* Status: Open
* Priority: Normal
* Assignee:
* ruby -v: 2.3.0dev
* Backport: 2.0.0: UNKNOWN, 2.1: UNKNOWN, 2.2: UNKNOWN
----------------------------------------
Currently String#crypt assumes that it is called on a password typed
by the user, specifically, that it does not contain null character.
When it does:
"abc\0def".crypt("pass") == "abc".crypt("pass")
=> true
This may not be desirable, and developers invoking crypt on strings
that potentially include null may expect different results. To
prevent security failures, this patch changes String#crypt to throw
ArgumentError when invoked on String that includes null character.
https://www.reddit.com/r/netsec/comments/2yugos/null_bytes_bcrypt_problem/
Also PR: https://github.com/ruby/ruby/pull/853
---Files--------------------------------
0001-Raise-ArgumentError-when-string-passed-to-String-cry.patch (1.87 KB)
--
https://bugs.ruby-lang.org/
^ permalink raw reply [flat|nested] 4+ messages in thread
* [ruby-core:68586] [Ruby trunk - Bug #10988] [PATCH] Raise ArgumentError when string passed to String#crypt contains null
[not found] <redmine.issue-10988.20150320133542@ruby-lang.org>
2015-03-20 13:35 ` [ruby-core:68577] [Ruby trunk - Bug #10988] [Open] [PATCH] Raise ArgumentError when string passed to String#crypt contains null jrusnack
@ 2015-03-21 6:21 ` nobu
2015-06-30 4:19 ` [ruby-core:69805] " usa
2015-07-02 4:54 ` [ruby-core:69838] " nagachika00
3 siblings, 0 replies; 4+ messages in thread
From: nobu @ 2015-03-21 6:21 UTC (permalink / raw)
To: ruby-core
Issue #10988 has been updated by Nobuyoshi Nakada.
I agree this behavior would be better, but maybe a feature request?
----------------------------------------
Bug #10988: [PATCH] Raise ArgumentError when string passed to String#crypt contains null
https://bugs.ruby-lang.org/issues/10988#change-51897
* Author: Jan Rusnacko
* Status: Open
* Priority: Normal
* Assignee:
* ruby -v: 2.3.0dev
* Backport: 2.0.0: UNKNOWN, 2.1: UNKNOWN, 2.2: UNKNOWN
----------------------------------------
Currently String#crypt assumes that it is called on a password typed
by the user, specifically, that it does not contain null character.
When it does:
"abc\0def".crypt("pass") == "abc".crypt("pass")
=> true
This may not be desirable, and developers invoking crypt on strings
that potentially include null may expect different results. To
prevent security failures, this patch changes String#crypt to throw
ArgumentError when invoked on String that includes null character.
https://www.reddit.com/r/netsec/comments/2yugos/null_bytes_bcrypt_problem/
Also PR: https://github.com/ruby/ruby/pull/853
---Files--------------------------------
0001-Raise-ArgumentError-when-string-passed-to-String-cry.patch (1.87 KB)
--
https://bugs.ruby-lang.org/
^ permalink raw reply [flat|nested] 4+ messages in thread
* [ruby-core:69805] [Ruby trunk - Bug #10988] [PATCH] Raise ArgumentError when string passed to String#crypt contains null
[not found] <redmine.issue-10988.20150320133542@ruby-lang.org>
2015-03-20 13:35 ` [ruby-core:68577] [Ruby trunk - Bug #10988] [Open] [PATCH] Raise ArgumentError when string passed to String#crypt contains null jrusnack
2015-03-21 6:21 ` [ruby-core:68586] [Ruby trunk - Bug #10988] " nobu
@ 2015-06-30 4:19 ` usa
2015-07-02 4:54 ` [ruby-core:69838] " nagachika00
3 siblings, 0 replies; 4+ messages in thread
From: usa @ 2015-06-30 4:19 UTC (permalink / raw)
To: ruby-core
Issue #10988 has been updated by Usaku NAKAMURA.
Backport changed from 2.0.0: UNKNOWN, 2.1: UNKNOWN, 2.2: UNKNOWN to 2.0.0: WONTFIX, 2.1: WONTFIX, 2.2: UNKNOWN
----------------------------------------
Bug #10988: [PATCH] Raise ArgumentError when string passed to String#crypt contains null
https://bugs.ruby-lang.org/issues/10988#change-53201
* Author: Jan Rusnacko
* Status: Closed
* Priority: Normal
* Assignee:
* ruby -v: 2.3.0dev
* Backport: 2.0.0: WONTFIX, 2.1: WONTFIX, 2.2: UNKNOWN
----------------------------------------
Currently String#crypt assumes that it is called on a password typed
by the user, specifically, that it does not contain null character.
When it does:
"abc\0def".crypt("pass") == "abc".crypt("pass")
=> true
This may not be desirable, and developers invoking crypt on strings
that potentially include null may expect different results. To
prevent security failures, this patch changes String#crypt to throw
ArgumentError when invoked on String that includes null character.
https://www.reddit.com/r/netsec/comments/2yugos/null_bytes_bcrypt_problem/
Also PR: https://github.com/ruby/ruby/pull/853
---Files--------------------------------
0001-Raise-ArgumentError-when-string-passed-to-String-cry.patch (1.87 KB)
--
https://bugs.ruby-lang.org/
^ permalink raw reply [flat|nested] 4+ messages in thread
* [ruby-core:69838] [Ruby trunk - Bug #10988] [PATCH] Raise ArgumentError when string passed to String#crypt contains null
[not found] <redmine.issue-10988.20150320133542@ruby-lang.org>
` (2 preceding siblings ...)
2015-06-30 4:19 ` [ruby-core:69805] " usa
@ 2015-07-02 4:54 ` nagachika00
3 siblings, 0 replies; 4+ messages in thread
From: nagachika00 @ 2015-07-02 4:54 UTC (permalink / raw)
To: ruby-core
Issue #10988 has been updated by Tomoyuki Chikanaga.
Backport changed from 2.0.0: WONTFIX, 2.1: WONTFIX, 2.2: UNKNOWN to 2.0.0: WONTFIX, 2.1: WONTFIX, 2.2: WONTFIX
----------------------------------------
Bug #10988: [PATCH] Raise ArgumentError when string passed to String#crypt contains null
https://bugs.ruby-lang.org/issues/10988#change-53236
* Author: Jan Rusnacko
* Status: Closed
* Priority: Normal
* Assignee:
* ruby -v: 2.3.0dev
* Backport: 2.0.0: WONTFIX, 2.1: WONTFIX, 2.2: WONTFIX
----------------------------------------
Currently String#crypt assumes that it is called on a password typed
by the user, specifically, that it does not contain null character.
When it does:
"abc\0def".crypt("pass") == "abc".crypt("pass")
=> true
This may not be desirable, and developers invoking crypt on strings
that potentially include null may expect different results. To
prevent security failures, this patch changes String#crypt to throw
ArgumentError when invoked on String that includes null character.
https://www.reddit.com/r/netsec/comments/2yugos/null_bytes_bcrypt_problem/
Also PR: https://github.com/ruby/ruby/pull/853
---Files--------------------------------
0001-Raise-ArgumentError-when-string-passed-to-String-cry.patch (1.87 KB)
--
https://bugs.ruby-lang.org/
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2015-07-02 4:28 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <redmine.issue-10988.20150320133542@ruby-lang.org>
2015-03-20 13:35 ` [ruby-core:68577] [Ruby trunk - Bug #10988] [Open] [PATCH] Raise ArgumentError when string passed to String#crypt contains null jrusnack
2015-03-21 6:21 ` [ruby-core:68586] [Ruby trunk - Bug #10988] " nobu
2015-06-30 4:19 ` [ruby-core:69805] " usa
2015-07-02 4:54 ` [ruby-core:69838] " nagachika00
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).