diff options
author | Alex Gaynor <alex.gaynor@gmail.com> | 2016-10-02 21:20:13 -0400 |
---|---|---|
committer | Paul Kehrer <paul.l.kehrer@gmail.com> | 2016-10-02 20:20:13 -0500 |
commit | fcebaa0db74dc822877128e57a79dcfda2a2dc4f (patch) | |
tree | 24c40c116bb945ad671990bc0965d70c82202509 /tests | |
parent | e977a1deea4712897f1cdae9ee682fef0e8fd1ce (diff) | |
download | py-bcrypt-git-fcebaa0db74dc822877128e57a79dcfda2a2dc4f.tar.gz |
Correctly handle invalid hashed passwords in bcrypt.checkpw. (#95)
Previously it would silently accept extra data, and overread a buffer on truncated data.
Reported by Matthew Russell
Diffstat (limited to 'tests')
-rw-r--r-- | tests/test_bcrypt.py | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/tests/test_bcrypt.py b/tests/test_bcrypt.py index d9bde72..fa9a410 100644 --- a/tests/test_bcrypt.py +++ b/tests/test_bcrypt.py @@ -308,6 +308,15 @@ def test_hashpw_nul_byte(): bcrypt.hashpw(b"abc\0def", salt) +def test_checkpw_extra_data(): + salt = bcrypt.gensalt(4) + hashed = bcrypt.hashpw(b"abc", salt) + + assert bcrypt.checkpw(b"abc", hashed) + assert bcrypt.checkpw(b"abc", hashed + b"extra") is False + assert bcrypt.checkpw(b"abc", hashed[:-10]) is False + + @pytest.mark.parametrize( ("rounds", "password", "salt", "expected"), [[ |