Issue #10988 has been updated by Tomoyuki Chikanaga.

Backport changed from 2.0.0: WONTFIX, 2.1: WONTFIX, 2.2: UNKNOWN to 2.0.0: WONTFIX, 2.1: WONTFIX, 2.2: WONTFIX

----------------------------------------
Bug #10988: [PATCH] Raise ArgumentError when string passed to String#crypt contains null
https://bugs.ruby-lang.org/issues/10988#change-53236

* Author: Jan Rusnacko
* Status: Closed
* Priority: Normal
* Assignee: 
* ruby -v: 2.3.0dev
* Backport: 2.0.0: WONTFIX, 2.1: WONTFIX, 2.2: WONTFIX
----------------------------------------
Currently String#crypt assumes that it is called on a password typed
by the user, specifically, that it does not contain null character.
When it does:

    "abc\0def".crypt("pass") == "abc".crypt("pass")
    => true

This may not be desirable, and developers invoking crypt on strings
that potentially include null may expect different results. To
prevent security failures, this patch changes String#crypt to throw
ArgumentError when invoked on String that includes null character.

https://www.reddit.com/r/netsec/comments/2yugos/null_bytes_bcrypt_problem/

Also PR: https://github.com/ruby/ruby/pull/853

---Files--------------------------------
0001-Raise-ArgumentError-when-string-passed-to-String-cry.patch (1.87 KB)


-- 
https://bugs.ruby-lang.org/