[PATCH] correct_password: Handle NULL from crypt
Lauri Kasanen
curaga at operamail.com
Mon Feb 10 10:19:07 UTC 2014
On Mon, Feb 10, 2014, at 10:35, Rich Felker wrote:
> On Sun, Feb 09, 2014 at 12:52:50PM +0100, Denys Vlasenko wrote:
> > The old behavior was to return ""?
> > (I have no old glibc at hand to check it quickly).
> >
> > Since we have exactly one crypt() call in the entire busybox,
> > the easiest fix would be to just add
> > if (NULL) return "";
> > there. Are there downsides to that?
>
> Are you sure glibc used to return "" on invalid inputs? I thought it
> returned something unmatchable. Returning "" is mildly dangerous since
> you could end up storing a blank password in the database and allowing
> logins with no password, but if that's protected against, you should
> be fine.
Yes, it works that way. Tested on 2.7.
- Lauri
--
http://www.fastmail.fm - Send your email first class
More information about the busybox
mailing list