Possible login bypass

62 views
Skip to first unread message

Cameron

unread,
Feb 27, 2011, 3:01:10 AM2/27/11
to Devise
I was working on doing an upgrade to the login system for an app that
I develop from a in house system to devise. When we did this, we added
the new fields :encrypted_password and :password_salt to the user
model. Unfortunately in the upgrade we didn't make a method to upgrade
the password and salt to the new fields but this lead to a weird bug
in our system. Basically any user that was created before the upgrade
has :encrypted_password and :password_salt set to nil. When then
trying to sign in as the user, as long as you put in a password (other
than blank), you would be able to log in as them.

Now this seems like loop hole but could also be by design. I have
taken steps try and ensure that encrypt_pass and password_salt are
never nil, but is there a pre-defined method or option I could add
such that it will block all login attempts if the users password/salt
are nil? Or is there a way to easily override the devise controller
and write my own? I only want to do it for the sign_in controller as
the other methods seem to be working fine.

Thanks for the advice and suggestions.

Cameron

José Valim

unread,
Feb 27, 2011, 3:51:16 AM2/27/11
to Devise
I would consider this a bug. Which Devise version are you using?

Cameron

unread,
Feb 27, 2011, 5:30:11 PM2/27/11
to Devise
1.1.5 and warden 1.0.3, as far as I know its the lastest versions. Do
you need any other information from me? I am happy to see it is a bug
and not something I program wrong cause I couldn't dissect it any
further on my end.

Cameron

unread,
Mar 2, 2011, 1:13:02 PM3/2/11
to Devise
Sorry for the bump on this, but I was wondering if you were able to
decide if this is a devise bug or if it was a bug somewhere in my
code. And if it is a bug in my devise, will it make it into the 1.2RC?

Cameron
Reply all
Reply to author
Forward
0 new messages