Skip to content

Update for BCrypt wrap bug detected #19

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
mo7ty wants to merge 5 commits into from
Closed

Update for BCrypt wrap bug detected #19

mo7ty wants to merge 5 commits into from

Conversation

@mo7ty
Copy link

@mo7ty mo7ty commented Sep 28, 2025

@notypecheck
Copy link
Owner

notypecheck commented Sep 30, 2025

Hey, thanks for the PR! Do you have time to finish it (since you've set it as "draft") or can I pick it up from there?

@mo7ty
Copy link
Author

mo7ty commented Sep 30, 2025

Hi @notypecheck!
I intend to complete this PR still today, with the missing test_handlers_bcrypt.py update.
Is there anything that also needs to be considered?

@notypecheck
Copy link
Owner

notypecheck commented Sep 30, 2025

No, not really, I'll just fix formatting and other things that linters may complain about, but you don't have to worry about that

mo7ty added 3 commits September 30, 2025 11:18
Update bcrypt >= 5.0.0 ValueError detection
775b06b
Add dynamic update of test_handlers_bcrypt._bcrypt_test data
050d68e 
* Wrap `known_correct_hashes` if handler `_fails_on_wraparound_bug`
* This updates used data for `<tests.test_handlers_bcrypt.bcrypt_bcrypt_test testMethod=test_70_hashes>`
Add dynamic update of test_handlers_bcrypt._bcrypt_test used handle…
f01cc58 
…r `truncate_error`

* Set used handler `truncate_error = _fails_on_wraparound_bug`
* This updates flag for `<tests.test_handlers_bcrypt.bcrypt_bcrypt_test testMethod=test_77_fuzz_input>`
@mo7ty
Copy link
Author

mo7ty commented Sep 30, 2025

Hi @notypecheck!
I've updated the PR, but was unable to update it for the following tests:

  • <tests.test_handlers_bcrypt.bcrypt_bcrypt_test testMethod=test_secret_w_truncate_size>
  • <tests.test_handlers_django.django_bcrypt_test testMethod=test_secret_w_truncate_size>

Can you please help here?

@notypecheck
Copy link
Owner

notypecheck commented Sep 30, 2025

I think for now it would be better to release a new version, pinning bcrypt to <5.0.0 (so people don't experience that bug, at least when installing the latest version), and then decide if it's worth keeping the old behavior, or using already existing TruncateMixin, which should raise an error in case the given password/secret exceeds 72 characters.

@mgorny
Copy link

mgorny commented Oct 1, 2025

Wouldn't it be simpler to just skip the check when using new enough bcrypt?

@notypecheck
Copy link
Owner

notypecheck commented Oct 1, 2025

@mgorny I think majority of the existing checks can be disabled, passlib at the time supported multiple bcrypt implementations (like py-bcrypt), and I don't think we need anything besides the bcrypt one nowadays.

@mo7ty
Copy link
Author

mo7ty commented Oct 1, 2025

Hi @notypecheck and @mgorny,
IMHO it makes all sense to only accept the bcrypt implementation nowadays, and also stop accounting for old behaviours (like the $2a wrap bug) in favour of possibly starting to use TruncateMixin along with passlib.exc.PasswordTruncateError.
Happy to leave this PR open and try to start that update here, where everyone's contribution and help are welcome.

@mo7ty mo7ty mentioned this pull request Oct 9, 2025
Merged
@chapmajs chapmajs mentioned this pull request Oct 10, 2025
Open
@mo7ty mo7ty mentioned this pull request Oct 12, 2025
Closed
@mo7ty
Copy link
Author

mo7ty commented Oct 12, 2025

Moved to PR Update for BCrypt wrap bug detected #24.

@mo7ty mo7ty closed this Oct 12, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mo7ty @notypecheck @mgorny