On Sun, Feb 09, 2014 at 12:52:50PM +0100, Denys Vlasenko wrote: > On Mon, Feb 3, 2014 at 5:50 PM, Lauri Kasanen <[email protected]> wrote: > > As with many other software, busybox was also broken by the glibc >= > > 2.17 behavior change. Now crypt() returns NULL if either salt or > > password is invalid. > > What is "invalid password"? > > I just tested and crypt() returns NULL if *salt* is invalid (say, ""). > It's on glibc 2.17. > > The old behavior was to return ""? > (I have no old glibc at hand to check it quickly). > > Since we have exactly one crypt() call in the entire busybox, > the easiest fix would be to just add > if (NULL) return ""; > there. Are there downsides to that?
Are you sure glibc used to return "" on invalid inputs? I thought it returned something unmatchable. Returning "" is mildly dangerous since you could end up storing a blank password in the database and allowing logins with no password, but if that's protected against, you should be fine. Rich _______________________________________________ busybox mailing list [email protected] http://lists.busybox.net/mailman/listinfo/busybox
