Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix in has_secure_password for passwords containing only spaces. #16412

Merged
merged 1 commit into from Aug 7, 2014

Conversation

@yevhene
Copy link
Contributor

yevhene commented Aug 6, 2014

Steps:

  1. Existing model with has_secure_password. With encrypted_password stored.
  2. User try to update password with password containing only spaces.
  3. Password is discarded. Model is valid and stored. Password is not changed but no error massage given.
@chancancode
chancancode reviewed Aug 6, 2014
View changes
activemodel/lib/active_model/secure_password.rb Outdated
@@ -76,6 +76,7 @@ def has_secure_password(options = {})

validates_length_of :password, maximum: ActiveModel::SecurePassword::MAX_PASSWORD_LENGTH_ALLOWED
validates_confirmation_of :password, if: ->{ password.present? }
validates_presence_of :password, unless: ->{ password.nil? }

This comment has been minimized.

Copy link
@chancancode

chancancode Aug 6, 2014

Member

Why do we need this?

This comment has been minimized.

Copy link
@yevhene

yevhene Aug 6, 2014

Author Contributor

To forbid passwords contains only spaces, and give relevant error message.

@chancancode
Copy link
Member

chancancode commented Aug 6, 2014

Not sure if we need actually want to block blank passwords. It seems like the original code was written this way to catch the nil case (3e23752), since we have a different branch for that we probably can just switch from checking blank -> empty? If people want to block empty passwords as well, they can just add another validation rule... what do you think?

@yevhene
Copy link
Contributor Author

yevhene commented Aug 6, 2014

I think it would be reasonable behavior, if we accept spaces as any other char.

@chancancode
Copy link
Member

chancancode commented Aug 6, 2014

seems good to me! can you add a changelog along the lines of "Fixed (what wasn't working). (Offer suggestion for those who preferred the original behavior)."? 😄

@chancancode
Copy link
Member

chancancode commented Aug 6, 2014

Also, can you squash your commits?

spastorino added a commit that referenced this pull request Aug 7, 2014
Fix in has_secure_password for passwords containing only spaces.
@spastorino spastorino merged commit e2689d1 into rails:master Aug 7, 2014
1 check passed
1 check passed
continuous-integration/travis-ci The Travis CI build passed
Details
@sobrinho

This comment has been minimized.

Copy link
Contributor

sobrinho commented on f8dcb36 Aug 8, 2014

We aren't going to be insecure by default implementing that?

I mean, there is a use case for a password containing only white spaces?

This comment has been minimized.

Copy link
Member

chancancode replied Aug 9, 2014

The original intention of this code was not to validate password strength, it was just to check if unencrypted_password was nil? or empty?. Since we have a different branch for the nil? check now, we can just use empty? for the second check.

If you needed to verify password strength (e.g. it needs to be longer than X characters, contains a mix of alphanumeric characters and symbols, etc), then you should add your own validation.

Protecting against "blank" passwords but not, say, "123456" or "password", doesn't make a lot of sense.

@reichertm
Copy link

reichertm commented Feb 11, 2015

Not sure if this is the commit to blame as I migrated from rails 4.0.11.1 straight to 4.2 but there seems to be a side effect to this change. It is possible now to create a new record with password set and password_confirmation being nil. In the previous version the validation was failing with the two values not matching.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

5 participants
You can’t perform that action at this time.