Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20100222164503.GA23078@openwall.com>
Date: Mon, 22 Feb 2010 19:45:03 +0300
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: Trivial bug (or dangerous feature)

On Mon, Feb 22, 2010 at 03:36:30PM +0100, Magnum, P.I. wrote:
> I just got bitten by a bug, or feature, in JtR.

Intended behavior, not a bug.  Passing the name of an existing unrelated
file for the session name is a user error.

> I did locate the responsible code in recovery.c, *rec_name_complete() 
> but I'm not gonna show you my complete lack of coding skills trying to 
> submit a patch. Obviously it just checks for any dot in the name and 
> then assumes it has an extension of .rec

No, it does not assume that.  The logic is that if the supplied filename
contains a dot, then it already has a suffix (not necessarily .rec) and
thus is assumed to have been meant to be used verbatim.  Otherwise, the
.rec suffix is added.

I understand how this can be confusing/unexpected, so a reasonable
change in behavior is OK with me.  The tricky part is to determine what
behavior would be more reasonable.

> Replacing that check for a dot with a 
> check for an actual extension of .rec will suffice just fine in my opinion.

This makes sense, but it's not that simple.  There's also the .log file,
where the current behavior is to replace the last suffix in any
user-supplied session name (which is treated as a filename for the
recovery file if it has a suffix).

Another possible way to make the behavior more intuitive is to never
alter the filename (never append any suffix).  This behavior is common
with command-line tools on Unix systems, but it could be weird on
DOS'ish systems that have a notion of filename "extensions".  Also, it
is in fact handy to always be able to determine a file's format/purpose
from its name, which is a reason in favor of appending the .rec suffix
even on Unix systems.  Finally, the supplied session name is used not
only to form the .rec filename, but also the .log filename, which is a
reason to append these two suffixes in both places.  The current logic
is to use a supplied session name with a suffix already present for the
session name verbatim, but to replace that suffix with .log for the log
file.  I agree that this behavior is inconsistent and likely unexpected
by many users of JtR (although it usually does not matter), so I am
willing to change it.

I'll add this message to my "JtR requests" folder, and I might get back
to it and try to come up with a more consistent/expected approach.

Thanks,

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.