[tor-bugs] #17634 [Tor Launcher]: Be more strict if applying double quotes around passwords

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Nov 24 16:03:52 UTC 2015


#17634: Be more strict if applying double quotes around passwords
--------------------------+-----------------------------------
 Reporter:  gk            |          Owner:  brade
     Type:  defect        |         Status:  needs_information
 Priority:  Low           |      Milestone:
Component:  Tor Launcher  |        Version:
 Severity:  Minor         |     Resolution:
 Keywords:                |  Actual Points:
Parent ID:                |         Points:
  Sponsor:                |
--------------------------+-----------------------------------

Comment (by gk):

 Replying to [comment:4 mcs]:
 > Is the issue here that we allow a-f (lowercase) without adding double
 quotes? Or that an empty pwdArg might go through unquoted?

 The former. The latter is spec-conform as in this case just
 "AUTHENTICATE\r\n" is sent as far as I see it. Whether we should allow
 this is from the controller side is a different thing. Maybe failing hard
 would be a smart thing to do as there seems to be something horribly wrong
 if `_crypto_rand_int()` is broken?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17634#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list