Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 16 Feb 2016 00:51:16 +0100
From: magnum <>
Subject: Re: ExecOnCrackedPassword

On 2016-02-16 00:39, Solar Designer wrote:
> I think the ExecOnCrackedPassword feature, which just got in, is
> unacceptable as currently implemented. (...)

I wasn't expecting you to love it ;-)

> We could add a huge warning about just how very insecure this feature
> is (in multiple ways, in fact), but even then it's also unreliable,
> since it exec's the program via system(), so it would fail on shell
> escapes seen in passwords.
> Maybe we should revert those commits for now, and use this opportunity
> to set some minimum pre-commit quality standards for jumbo?

Right, I was already leaning towards that conclusion while handling

> As to the feature, I understand why it may be desirable, so maybe it can
> be reimplemented with passing of the two strings (username and password)
> via stdin (the example bash script would then use "read").  Even then,
> there would need to be a separator character, which could occur in a
> username... but luckily (for this) we don't currently support ':' (by
> default), linefeed, and NUL in usernames.  So maybe just use linefeed.

Maybe. For now I'll revert the commits and open an issue for the feature 
instead. I wont accept PR's until we have agreed on the details.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.