[pve-devel] [PATCH common] fix #1363: dont encode unicode strings in passwords
Fabian Grünbichler
f.gruenbichler at proxmox.com
Tue May 2 10:21:12 CEST 2017
On Tue, May 02, 2017 at 08:46:07AM +0200, Fabian Grünbichler wrote:
>
> > Dietmar Maurer <dietmar at proxmox.com> hat am 2. Mai 2017 um 08:32 geschrieben:
> >
> >
> > Are you sure this is the correct fix?
> >
> > > - return crypt(encode("utf8", $pw), "\$5\$$salt\$");
> > > + return crypt($pw, "\$5\$$salt\$");
> >
> >
> > If I run this with $pw = "€" if get an exception:
> >
> > "wide character in crypt at"
> >
> > ??
> >
>
> $ perl -e 'use strict; use warnings; my $salt="123"; my $pw="€"; print length($pw), "\n", crypt($pw, "\$5\$$salt\$");'
> 3
> $5$123$e/xP9ad9IEVXLJEDMrIxGNuMjk.BhpqS8A.iUo0XJt4
>
> $ perl -e 'use strict; use warnings; my $salt="123"; my $pw="漢字"; print length($pw), "\n", crypt($pw, "\$5\$$salt\$");'
> 6
> $5$123$sfE42vYzA9Xw5j5rG7mlNjjaoSE8CmIyl9VUOLtJsuD
>
> $ echo $LANG
> en_US.UTF-8
>
> same results in urxvt (above) and gnome-terminal with encoding and LOCALE/LANG set to ISO-8859-1
>
> did you do some other test?
>
okay, I stand corrected ;)
seems we were just missing the initial decode after all, and should fix
the container setup as well (including read_password and pvesh? haven't
looked there yet):
$ cat crypt.c
#define _XOPEN_SOURCE /* See feature_test_macros(7) */
#include <unistd.h>
#include <string.h>
#include <stdio.h>
void main() {
char *salt = "$5$123$";
char *pw[] = { "a", "§", "€", "漢字" };
for (int i = 0; i < 4; i++) {
printf("%s / %d\n", pw[i], strlen(pw[i]));
char *crypted = crypt(pw[i], salt);
printf("%s\n", crypted);
}
}
$ gcc -std=c99 -lcrypt crypt.c
$ ./a.out
a / 1
$5$123$8yeEqJo7dQ8sBzirKXnMWGq0X0kbBVNwDDz.Zg3FGL/
§ / 2
$5$123$5QdIsCHB92DW80ZkjU9yS/vz9qVLgbobrQHwAHwxE15
€ / 3
$5$123$e/xP9ad9IEVXLJEDMrIxGNuMjk.BhpqS8A.iUo0XJt4
漢字 / 6
$5$123$sfE42vYzA9Xw5j5rG7mlNjjaoSE8CmIyl9VUOLtJsuD
$ perl -e 'use strict; use warnings; use utf8; use Encode; my $salt="123"; my $pws=["a", "§", "€", "漢字"]; for my $pw (@$pws) { print $pw , " / ", length($pw), " / ", length(encode("utf8", $pw)), "\n", crypt(encode("utf-8",$pw), "\$5\$$salt\$"), "\n";}'
a / 1 / 1
$5$123$8yeEqJo7dQ8sBzirKXnMWGq0X0kbBVNwDDz.Zg3FGL/
§ / 1 / 2
$5$123$5QdIsCHB92DW80ZkjU9yS/vz9qVLgbobrQHwAHwxE15
Wide character in print at -e line 1.
€ / 1 / 3
$5$123$e/xP9ad9IEVXLJEDMrIxGNuMjk.BhpqS8A.iUo0XJt4
Wide character in print at -e line 1.
漢字 / 2 / 6
$5$123$sfE42vYzA9Xw5j5rG7mlNjjaoSE8CmIyl9VUOLtJsuD
More information about the pve-devel
mailing list