[pve-devel] [PATCH common] fix #1363: dont encode unicode strings in passwords

Fabian Grünbichler f.gruenbichler at proxmox.com
Tue May 2 10:21:12 CEST 2017 

On Tue, May 02, 2017 at 08:46:07AM +0200, Fabian Grünbichler wrote:
> 
> > Dietmar Maurer <dietmar at proxmox.com> hat am 2. Mai 2017 um 08:32 geschrieben:
> > 
> > 
> > Are you sure this is the correct fix?
> > 
> > > -    return crypt(encode("utf8", $pw), "\$5\$$salt\$");
> > > +    return crypt($pw, "\$5\$$salt\$");
> > 
> > 
> > If I run this with $pw = "€" if get an exception:
> > 
> > "wide character in crypt at"
> > 
> > ?? 
> > 
> 
> $ perl -e 'use strict; use warnings; my $salt="123"; my $pw="€"; print length($pw), "\n", crypt($pw, "\$5\$$salt\$");'
> 3
> $5$123$e/xP9ad9IEVXLJEDMrIxGNuMjk.BhpqS8A.iUo0XJt4
> 
> $ perl -e 'use strict; use warnings; my $salt="123"; my $pw="漢字"; print length($pw), "\n", crypt($pw, "\$5\$$salt\$");'
> 6
> $5$123$sfE42vYzA9Xw5j5rG7mlNjjaoSE8CmIyl9VUOLtJsuD
> 
> $ echo $LANG
> en_US.UTF-8
> 
> same results in urxvt (above) and gnome-terminal with encoding and LOCALE/LANG set to ISO-8859-1
> 
> did you do some other test?
> 

okay, I stand corrected ;)

seems we were just missing the initial decode after all, and should fix
the container setup as well (including read_password and pvesh? haven't
looked there yet):

$ cat crypt.c
#define _XOPEN_SOURCE       /* See feature_test_macros(7) */
#include <unistd.h>
#include <string.h>
#include <stdio.h>

void main() {
    char *salt = "$5$123$";
    char *pw[] = { "a", "§", "€", "漢字" };
    for (int i = 0; i < 4; i++) {
        printf("%s / %d\n", pw[i], strlen(pw[i]));
        char *crypted = crypt(pw[i], salt);
        printf("%s\n", crypted);
    }
}

$ gcc -std=c99 -lcrypt crypt.c

$ ./a.out
a / 1
$5$123$8yeEqJo7dQ8sBzirKXnMWGq0X0kbBVNwDDz.Zg3FGL/
§ / 2
$5$123$5QdIsCHB92DW80ZkjU9yS/vz9qVLgbobrQHwAHwxE15
€ / 3
$5$123$e/xP9ad9IEVXLJEDMrIxGNuMjk.BhpqS8A.iUo0XJt4
漢字 / 6
$5$123$sfE42vYzA9Xw5j5rG7mlNjjaoSE8CmIyl9VUOLtJsuD

$ perl -e 'use strict; use warnings; use utf8; use Encode; my $salt="123"; my $pws=["a", "§", "€", "漢字"]; for my $pw (@$pws) { print $pw , " / ", length($pw), " / ", length(encode("utf8", $pw)), "\n", crypt(encode("utf-8",$pw), "\$5\$$salt\$"), "\n";}'
a / 1 / 1
$5$123$8yeEqJo7dQ8sBzirKXnMWGq0X0kbBVNwDDz.Zg3FGL/
§ / 1 / 2
$5$123$5QdIsCHB92DW80ZkjU9yS/vz9qVLgbobrQHwAHwxE15
Wide character in print at -e line 1.
€ / 1 / 3
$5$123$e/xP9ad9IEVXLJEDMrIxGNuMjk.BhpqS8A.iUo0XJt4
Wide character in print at -e line 1.
漢字 / 2 / 6
$5$123$sfE42vYzA9Xw5j5rG7mlNjjaoSE8CmIyl9VUOLtJsuD

More information about the pve-devel mailing list