From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Original-To: poffice@blade.nagaokaut.ac.jp Delivered-To: poffice@blade.nagaokaut.ac.jp Received: from kankan.nagaokaut.ac.jp (kankan.nagaokaut.ac.jp [133.44.2.24]) by blade.nagaokaut.ac.jp (Postfix) with ESMTP id 59DBD1960070 for ; Thu, 2 Jul 2015 13:28:39 +0900 (JST) Received: from funfun.nagaokaut.ac.jp (funfun.nagaokaut.ac.jp [133.44.2.201]) by kankan.nagaokaut.ac.jp (Postfix) with ESMTP id 95EB7B5D83C for ; Thu, 2 Jul 2015 13:54:20 +0900 (JST) Received: from funfun.nagaokaut.ac.jp (localhost.nagaokaut.ac.jp [127.0.0.1]) by funfun.nagaokaut.ac.jp (Postfix) with ESMTP id 2C22C97A83C for ; Thu, 2 Jul 2015 13:54:22 +0900 (JST) X-Virus-Scanned: amavisd-new at nagaokaut.ac.jp Authentication-Results: funfun.nagaokaut.ac.jp (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=sendgrid.me Received: from funfun.nagaokaut.ac.jp ([127.0.0.1]) by funfun.nagaokaut.ac.jp (funfun.nagaokaut.ac.jp [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VjsG9evvGJLq for ; Thu, 2 Jul 2015 13:54:22 +0900 (JST) Received: from voscc.nagaokaut.ac.jp (voscc.nagaokaut.ac.jp [133.44.1.100]) by funfun.nagaokaut.ac.jp (Postfix) with ESMTP id DB8B397A83A for ; Thu, 2 Jul 2015 13:54:21 +0900 (JST) Received: from neon.ruby-lang.org (neon.ruby-lang.org [221.186.184.75]) by voscc.nagaokaut.ac.jp (Postfix) with ESMTP id 2AD63952439 for ; Thu, 2 Jul 2015 13:54:20 +0900 (JST) Received: from [221.186.184.76] (localhost [IPv6:::1]) by neon.ruby-lang.org (Postfix) with ESMTP id 8E52312046F; Thu, 2 Jul 2015 13:54:18 +0900 (JST) X-Original-To: ruby-core@ruby-lang.org Delivered-To: ruby-core@ruby-lang.org Received: from o10.shared.sendgrid.net (o10.shared.sendgrid.net [173.193.132.135]) by neon.ruby-lang.org (Postfix) with ESMTPS id 65CF5120461 for ; Thu, 2 Jul 2015 13:54:15 +0900 (JST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sendgrid.me; h=from:to:references:subject:mime-version:content-type:content-transfer-encoding:list-id; s=smtpapi; bh=hCgaqR4f55alB9Gp5/t6Uj9KNeA=; b=D8uBnFz6kd1qAcxB7O o9tXm6H+Wvfsg+RtRi+IdV6R+z2F/F011TMx9J8ZKt/KMgM8V771Udu4I+NM8A9V 5iF9CVebD8klXEbW6KO/KXxAaEILFRz+2lsMNjFziBuPGL2BjOOVqeFiZ2Ok3gU3 gokfw3D8tJuHWh+4+SbunCL+U= Received: by filter0544p1mdw1.sendgrid.net with SMTP id filter0544p1mdw1.13297.5594C3D0B 2015-07-02 04:54:10.683062101 +0000 UTC Received: from herokuapp.com (ec2-54-87-170-253.compute-1.amazonaws.com [54.87.170.253]) by ismtpd-032 (SG) with ESMTP id 14e4d1d6c03.52f.3804d9 for ; Thu, 02 Jul 2015 04:54:10 +0000 (UTC) Date: Thu, 02 Jul 2015 04:54:10 +0000 From: nagachika00@gmail.com To: ruby-core@ruby-lang.org Message-ID: References: Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Redmine-MailingListIntegration-Message-Ids: 44435 X-Redmine-Project: ruby-trunk X-Redmine-Issue-Id: 10988 X-Redmine-Issue-Author: jrusnack X-Redmine-Sender: nagachika X-Mailer: Redmine X-Redmine-Host: bugs.ruby-lang.org X-Redmine-Site: Ruby Issue Tracking System X-Auto-Response-Suppress: All Auto-Submitted: auto-generated X-SG-EID: ync6xU2WACa70kv/Ymy4QrNMhiuLXJG8OTL2vJD1yS5MQxhmnZvTzujxO3thFdbVLDysKUEQE48L2q 5avHTpJzPi+hNl64tagEujIF2hsB3sOlEvp9wMpyBGX0a7lXbkdEQ6GhOA/LoS+vi74DW8djuB420N 6c/yeY3xPy5SibSyNdfTfuW92LQq4NDp6YTA X-ML-Name: ruby-core X-Mail-Count: 69838 Subject: [ruby-core:69838] [Ruby trunk - Bug #10988] [PATCH] Raise ArgumentError when string passed to String#crypt contains null X-BeenThere: ruby-core@ruby-lang.org X-Mailman-Version: 2.1.15 Precedence: list Reply-To: Ruby developers List-Id: Ruby developers List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: ruby-core-bounces@ruby-lang.org Sender: "ruby-core" Issue #10988 has been updated by Tomoyuki Chikanaga. Backport changed from 2.0.0: WONTFIX, 2.1: WONTFIX, 2.2: UNKNOWN to 2.0.0: WONTFIX, 2.1: WONTFIX, 2.2: WONTFIX ---------------------------------------- Bug #10988: [PATCH] Raise ArgumentError when string passed to String#crypt contains null https://bugs.ruby-lang.org/issues/10988#change-53236 * Author: Jan Rusnacko * Status: Closed * Priority: Normal * Assignee: * ruby -v: 2.3.0dev * Backport: 2.0.0: WONTFIX, 2.1: WONTFIX, 2.2: WONTFIX ---------------------------------------- Currently String#crypt assumes that it is called on a password typed by the user, specifically, that it does not contain null character. When it does: "abc\0def".crypt("pass") == "abc".crypt("pass") => true This may not be desirable, and developers invoking crypt on strings that potentially include null may expect different results. To prevent security failures, this patch changes String#crypt to throw ArgumentError when invoked on String that includes null character. https://www.reddit.com/r/netsec/comments/2yugos/null_bytes_bcrypt_problem/ Also PR: https://github.com/ruby/ruby/pull/853 ---Files-------------------------------- 0001-Raise-ArgumentError-when-string-passed-to-String-cry.patch (1.87 KB) -- https://bugs.ruby-lang.org/