Fix in has_secure_password for passwords containing only spaces. #16412

Merged
merged 1 commit into from Aug 7, 2014

Conversation

Projects
None yet
5 participants
@yevhene
Contributor

yevhene commented Aug 6, 2014

Steps:

  1. Existing model with has_secure_password. With encrypted_password stored.
  2. User try to update password with password containing only spaces.
  3. Password is discarded. Model is valid and stored. Password is not changed but no error massage given.
@chancancode

View changes

activemodel/lib/active_model/secure_password.rb
@@ -76,6 +76,7 @@ def has_secure_password(options = {})
validates_length_of :password, maximum: ActiveModel::SecurePassword::MAX_PASSWORD_LENGTH_ALLOWED
validates_confirmation_of :password, if: ->{ password.present? }
+ validates_presence_of :password, unless: ->{ password.nil? }

This comment has been minimized.

@chancancode

chancancode Aug 6, 2014

Member

Why do we need this?

@chancancode

chancancode Aug 6, 2014

Member

Why do we need this?

This comment has been minimized.

@yevhene

yevhene Aug 6, 2014

Contributor

To forbid passwords contains only spaces, and give relevant error message.

@yevhene

yevhene Aug 6, 2014

Contributor

To forbid passwords contains only spaces, and give relevant error message.

@chancancode

This comment has been minimized.

Show comment
Hide comment
@chancancode

chancancode Aug 6, 2014

Member

Not sure if we need actually want to block blank passwords. It seems like the original code was written this way to catch the nil case (3e23752), since we have a different branch for that we probably can just switch from checking blank -> empty? If people want to block empty passwords as well, they can just add another validation rule... what do you think?

Member

chancancode commented Aug 6, 2014

Not sure if we need actually want to block blank passwords. It seems like the original code was written this way to catch the nil case (3e23752), since we have a different branch for that we probably can just switch from checking blank -> empty? If people want to block empty passwords as well, they can just add another validation rule... what do you think?

@yevhene

This comment has been minimized.

Show comment
Hide comment
@yevhene

yevhene Aug 6, 2014

Contributor

I think it would be reasonable behavior, if we accept spaces as any other char.

Contributor

yevhene commented Aug 6, 2014

I think it would be reasonable behavior, if we accept spaces as any other char.

@chancancode

This comment has been minimized.

Show comment
Hide comment
@chancancode

chancancode Aug 6, 2014

Member

seems good to me! can you add a changelog along the lines of "Fixed (what wasn't working). (Offer suggestion for those who preferred the original behavior)."? 😄

Member

chancancode commented Aug 6, 2014

seems good to me! can you add a changelog along the lines of "Fixed (what wasn't working). (Offer suggestion for those who preferred the original behavior)."? 😄

@chancancode

This comment has been minimized.

Show comment
Hide comment
@chancancode

chancancode Aug 6, 2014

Member

Also, can you squash your commits?

Member

chancancode commented Aug 6, 2014

Also, can you squash your commits?

spastorino added a commit that referenced this pull request Aug 7, 2014

Merge pull request #16412 from yevhene/master
Fix in has_secure_password for passwords containing only spaces.

@spastorino spastorino merged commit e2689d1 into rails:master Aug 7, 2014

1 check passed

continuous-integration/travis-ci The Travis CI build passed
Details
@sobrinho

This comment has been minimized.

Show comment
Hide comment
@sobrinho

sobrinho Aug 8, 2014

Contributor

We aren't going to be insecure by default implementing that?

I mean, there is a use case for a password containing only white spaces?

Contributor

sobrinho commented on f8dcb36 Aug 8, 2014

We aren't going to be insecure by default implementing that?

I mean, there is a use case for a password containing only white spaces?

This comment has been minimized.

Show comment
Hide comment
@chancancode

chancancode Aug 9, 2014

Member

The original intention of this code was not to validate password strength, it was just to check if unencrypted_password was nil? or empty?. Since we have a different branch for the nil? check now, we can just use empty? for the second check.

If you needed to verify password strength (e.g. it needs to be longer than X characters, contains a mix of alphanumeric characters and symbols, etc), then you should add your own validation.

Protecting against "blank" passwords but not, say, "123456" or "password", doesn't make a lot of sense.

Member

chancancode replied Aug 9, 2014

The original intention of this code was not to validate password strength, it was just to check if unencrypted_password was nil? or empty?. Since we have a different branch for the nil? check now, we can just use empty? for the second check.

If you needed to verify password strength (e.g. it needs to be longer than X characters, contains a mix of alphanumeric characters and symbols, etc), then you should add your own validation.

Protecting against "blank" passwords but not, say, "123456" or "password", doesn't make a lot of sense.

@reichertm

This comment has been minimized.

Show comment
Hide comment
@reichertm

reichertm Feb 11, 2015

Not sure if this is the commit to blame as I migrated from rails 4.0.11.1 straight to 4.2 but there seems to be a side effect to this change. It is possible now to create a new record with password set and password_confirmation being nil. In the previous version the validation was failing with the two values not matching.

Not sure if this is the commit to blame as I migrated from rails 4.0.11.1 straight to 4.2 but there seems to be a side effect to this change. It is possible now to create a new record with password set and password_confirmation being nil. In the previous version the validation was failing with the two values not matching.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment