Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Password is always "[object ArrayBuffer" #9

Merged
merged 1 commit into from
Apr 20, 2014
Merged

Password is always "[object ArrayBuffer" #9

merged 1 commit into from
Apr 20, 2014

Conversation

Ventero
Copy link
Contributor

@Ventero Ventero commented Apr 17, 2014

In options.js:27, the password is generated as btoa(getRandomBytes(16)).

As documented on MDN, btoa accepts a string argument. However, since getRandomBytes returns an ArrayBuffer, it is implicitly converted to a string by calling .toString() on it - which for an ArrayBuffer returns "[object ArrayBuffer]".

In the next line, the last 2 characters of the Base64 encoded password are then removed, effectively setting password to W29iamVjdCBBcnJheUJ1ZmZlcl (or [object ArrayBuffer when decoded).

A possible fix for this would be something like:

var password = btoa(getString(getRandomBytes(16)));

@TheBlueMatt
Copy link
Contributor

Proposed fix looks good to be...

@liliakai
Copy link
Contributor

👍

@Ventero
Correctly extract string data for password.
3d7db4d 
btoa expects a string argument, so when passing it the ArrayBuffer
object returned by getRandomBytes(), it's converted to a string by
calling .toString() on it. This always results in "[object ArrayBuffer]",
effectively resulting in a completely non-random password.
@Ventero
Copy link
Contributor Author

Ventero commented Apr 17, 2014

Turned this issue into a pull request with the proposed fix attached.

TheBlueMatt pushed a commit that referenced this pull request Apr 20, 2014
Merge pull request #9 from Ventero/password
d9e7e59 
Password is always "[object ArrayBuffer"
@TheBlueMatt TheBlueMatt merged commit d9e7e59 into signalapp:master Apr 20, 2014
@Ventero Ventero deleted the password branch April 20, 2014 22:16
@TheBlueMatt
Copy link
Contributor

@Ventero Can I get a confirmation you agree to license the above code as GPL?

@Ventero
Copy link
Contributor Author

Ventero commented May 2, 2014

Sure. I doubt my change reaches any threshold of originality anyway, but you can consider it as being licensed under any GPL.

@mlsxlist mlsxlist mentioned this pull request Nov 8, 2017
Closed
1 task
@wesleytt wesleytt mentioned this pull request Apr 5, 2020
Closed
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Ventero @TheBlueMatt @liliakai