Created
January 21, 2015 23:51
-
-
Save davestevens/a9187de713a32cb005b1 to your computer and use it in GitHub Desktop.
BCrypt Issue
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env ruby | |
| require "uri" | |
| require "bcrypt" | |
| secret = "abcd/1234" | |
| encrypted_password = BCrypt::Password.create(secret) | |
| encoded_secret = URI.encode_www_form_component(secret) | |
| password = URI.decode(encoded_secret) | |
| # Interacting with `password` at all affects it. | |
| # In Devise a presence check is performed. | |
| # A `puts` will also cause a breakage. | |
| puts password | |
| bcrypt = BCrypt::Password.new(encrypted_password) | |
| # Devise adds pepper to the password before hashing it | |
| # this pepper can be nil and this results in a corrupt string when it gets to | |
| # the mri layer which BCrypt uses. | |
| password_with_nil = BCrypt::Engine.hash_secret("#{password}#{nil}", bcrypt.salt) | |
| if password_with_nil == encrypted_password | |
| puts "Password with nil was correct" | |
| else | |
| puts "Password with nil was incorrect" | |
| end | |
| password = BCrypt::Engine.hash_secret(password, bcrypt.salt) | |
| if password == encrypted_password | |
| puts "Password was correct" | |
| else | |
| puts "Password was incorrect" | |
| end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| source "https://rubygems.org" | |
| gem "bcrypt" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| GEM | |
| remote: https://rubygems.org/ | |
| specs: | |
| bcrypt (3.1.9) | |
| PLATFORMS | |
| ruby | |
| DEPENDENCIES | |
| bcrypt |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Commenting out line 15 of bcrypt_issue.rb results in both hashes passing.
This is with Ruby 2.2.0.