From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: AS4713 221.184.0.0/13 X-Spam-Status: No, score=-3.5 required=3.0 tests=AWL,BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,SPF_PASS shortcircuit=no autolearn=ham autolearn_force=no version=3.4.1 Received: from neon.ruby-lang.org (neon.ruby-lang.org [221.186.184.75]) by dcvr.yhbt.net (Postfix) with ESMTP id 044231F597 for ; Wed, 25 Jul 2018 05:09:29 +0000 (UTC) Received: from neon.ruby-lang.org (localhost [IPv6:::1]) by neon.ruby-lang.org (Postfix) with ESMTP id BBBCB120A43; Wed, 25 Jul 2018 14:09:26 +0900 (JST) Received: from o1678948x4.outbound-mail.sendgrid.net (o1678948x4.outbound-mail.sendgrid.net [167.89.48.4]) by neon.ruby-lang.org (Postfix) with ESMTPS id BA63F120A41 for ; Wed, 25 Jul 2018 14:09:24 +0900 (JST) Received: by filter0028p3iad2.sendgrid.net with SMTP id filter0028p3iad2-3964-5B580600-33 2018-07-25 05:09:20.577360105 +0000 UTC m=+16163.334614664 Received: from herokuapp.com (ec2-54-221-28-188.compute-1.amazonaws.com [54.221.28.188]) by ismtpd0001p1iad1.sendgrid.net (SG) with ESMTP id OAfZPPEgSuaSAKX1f7_cYQ for ; Wed, 25 Jul 2018 05:09:20.438 +0000 (UTC) Date: Wed, 25 Jul 2018 05:09:21 +0000 (UTC) From: merch-redmine@jeremyevans.net To: ruby-core@ruby-lang.org Message-ID: References: Mime-Version: 1.0 X-Redmine-MailingListIntegration-Message-Ids: 63475 X-Redmine-Project: ruby-trunk X-Redmine-Issue-Id: 14915 X-Redmine-Issue-Author: jeremyevans0 X-Redmine-Sender: jeremyevans0 X-Mailer: Redmine X-Redmine-Host: bugs.ruby-lang.org X-Redmine-Site: Ruby Issue Tracking System X-Auto-Response-Suppress: All Auto-Submitted: auto-generated X-SG-EID: ync6xU2WACa70kv/Ymy4QrNMhiuLXJG8OTL2vJD1yS4C2wZrQyDXafrZ5tSfHMS52Jb13Ehb3UPVNU xRV6fRLJRBJlNP0qZ9stykR3/Rom2tpaxxZqm+Z+qbiQr2HbP5rsYJzRMGcheDbhyEhseQxMgKuSIm +65rIh/py2OSIhwOmNIPi90iucH8KBj4LNQ/bfCxEbN2U67toNS6qsKWig== X-ML-Name: ruby-core X-Mail-Count: 88097 Subject: [ruby-core:88097] [Ruby trunk Feature#14915] Deprecate String#crypt, move implementation to string/crypt X-BeenThere: ruby-core@ruby-lang.org X-Mailman-Version: 2.1.15 Precedence: list Reply-To: Ruby developers List-Id: Ruby developers List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ruby-core-bounces@ruby-lang.org Sender: "ruby-core" Issue #14915 has been updated by jeremyevans0 (Jeremy Evans). normalperson (Eric Wong) wrote: > Allowing options which other servers do not support is not > something I want, as it could be a way to lock people into > WEBrick. Being compatible with htpasswd to allow users > of other servers to easily migrate in any direction is more > important. Fair enough, I'll work on adding support for `:password_hash=>:bcrypt|:crypt` (currently defaulting to :crypt if not given for backwords compatibility). > I haven't looked into LDAP authentication; but maybe that can > use a URI to the LDAP server instead of path. I don't know how > Apache or other servers do it, even; but we should try to steal > configuration/setup ideas from others servers to minimize > migration costs in either direction and not introduce things > which make it difficult to migrate away from. I don't think it makes sense to add specific support for other authentication options. If we aren't going to offer generic support, then we should limit the feature addition to the ability to use bcrypt. That allows people the ability to use an .htpasswd file with a strong password hash, and allows String#crypt to be deprecated and then moved to a gem. ---------------------------------------- Feature #14915: Deprecate String#crypt, move implementation to string/crypt https://bugs.ruby-lang.org/issues/14915#change-73119 * Author: jeremyevans0 (Jeremy Evans) * Status: Open * Priority: Normal * Assignee: * Target version: ---------------------------------------- This method is system and implementation dependent, and the portable usage mentioned in the documentation is not truly portable (doesn't work on OpenBSD) and insecure as it uses DES. For systems that lack a crypt(3) implementation, Ruby will happily substitute a version that only supports DES. It's 2018, using DES should be avoided if at all possible. The only internal usage of String#crypt in Ruby is in Webrick, where it uses DES for basic authentication with an htpasswd file. That could and should be changed to use a more secure hash by default (bcrypt since that's the most secure htpasswd format), or at least allow the user to customize Webrick's authentication. I expect there are few if any users actively using Webrick's htpasswd support. This moves the String#crypt implementation to the string/crypt extension, but leaves the String#crypt core method. The core method prints a deprecation warning, then loads the string/crypt extension. The string/crypt extension undefines the String#crypt core method, then defines the previous implementation. Because extensions use extconf.rb instead of configure for their configuration, this ports the related configure.ac code to extconf.rb. I'm not sure that is done correctly and works on all platforms, it will need testing. For systems that lack a crypt(3) implementation, this modifies the fallback code to only define crypt_r, since that is the only function that String#crypt will call in that case. While the patch just deprecates String#crypt, I think we should plan to remove support from ruby: 2.6: core method deprecated 2.7: core method removed, string/crypt extension ships with ruby 2.8: string/crypt extension moves to external gem, not shipped ---Files-------------------------------- 0001-Deprecate-String-crypt-move-implementation-to-string.patch (20.5 KB) -- https://bugs.ruby-lang.org/