-
Notifications
You must be signed in to change notification settings - Fork 513
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Passwords are stripped after an ASCII NUL character #774
Comments
Passwords with null characters should not be passed to bcrypt (or any crypt(3) compatible algorithm). Far too many bugs are due to libC using Popular python bcrypt implementations, Ruby bcrypt and PHP do not allow it. Some silently pass the |
@sandtler @agathver Bcrypt already includes the final NUL termination character when calculating the hash. I believe that also Including those caught in the middle is a reasonable default that will help to prevent a possible class of errors. And it's a simple fix. I have a pull request pending that also closes a long-standing vulnerability (re)discovered in #776 . |
What went wrong?
When hashing a password containing an ASCII NUL character, that character acts as the string terminator. Any following characters are ignored.
What did you expect to happen?
Strings should be handled exactly like in JavaScript, where NUL characters can occur at any position without affecting their length. I realize this is kind of an odd case, but since this is a security-relevant module, it should always behave exactly the way it is supposed to.
Which version of nodejs and OS?
node v12.13.1 on Fedora 31 x86_64
If you find a bug, please write a failing test.
The text was updated successfully, but these errors were encountered: