[prev in list] [next in list] [prev in thread] [next in thread]
List: busybox
Subject: Re: [PATCH] correct_password: Handle NULL from crypt
From: Lauri Kasanen <curaga () operamail ! com>
Date: 2014-02-10 10:19:07
Message-ID: 1392027547.16234.81456353.7EF29876 () webmail ! messagingengine ! com
[Download RAW message or body]
On Mon, Feb 10, 2014, at 10:35, Rich Felker wrote:
> On Sun, Feb 09, 2014 at 12:52:50PM +0100, Denys Vlasenko wrote:
> > The old behavior was to return ""?
> > (I have no old glibc at hand to check it quickly).
> >
> > Since we have exactly one crypt() call in the entire busybox,
> > the easiest fix would be to just add
> > if (NULL) return "";
> > there. Are there downsides to that?
>
> Are you sure glibc used to return "" on invalid inputs? I thought it
> returned something unmatchable. Returning "" is mildly dangerous since
> you could end up storing a blank password in the database and allowing
> logins with no password, but if that's protected against, you should
> be fine.
Yes, it works that way. Tested on 2.7.
- Lauri
--
http://www.fastmail.fm - Send your email first class
_______________________________________________
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic