[PATCH] correct_password: Handle NULL from crypt

Lauri Kasanen curaga at operamail.com
Mon Feb 10 10:19:07 UTC 2014



On Mon, Feb 10, 2014, at 10:35, Rich Felker wrote:
> On Sun, Feb 09, 2014 at 12:52:50PM +0100, Denys Vlasenko wrote:
> > The old behavior was to return ""?
> > (I have no old glibc at hand to check it quickly).
> > 
> > Since we have exactly one crypt() call in the entire busybox,
> > the easiest fix would be to just add
> >     if (NULL) return "";
> > there. Are there downsides to that?
> 
> Are you sure glibc used to return "" on invalid inputs? I thought it
> returned something unmatchable. Returning "" is mildly dangerous since
> you could end up storing a blank password in the database and allowing
> logins with no password, but if that's protected against, you should
> be fine.

Yes, it works that way. Tested on 2.7.

- Lauri

-- 
http://www.fastmail.fm - Send your email first class



More information about the busybox mailing list