Why does Redis not work with requirepass directive?

Question

I want to set a password to connect to a Redis server.

The appropriate way to do that is using the requirepass directive in the configuration file. http://redis.io/commands/auth

However, after setting the value, I get this upon restarting Redis:

Stopping redis-server: redis-server.
Starting redis-server: Segmentation fault (core dumped)
failed

Why is that?

Answer 1

The password length is limited to 512 characters.

In redis.h:

#define REDIS_AUTHPASS_MAX_LEN 512

In config.c:

    } else if (!strcasecmp(argv[0],"requirepass") && argc == 2) {
        if (strlen(argv[1]) > REDIS_AUTHPASS_MAX_LEN) {
            err = "Password is longer than REDIS_AUTHPASS_MAX_LEN";
            goto loaderr;
        }
        server.requirepass = zstrdup(argv[1]);
    }

Now, the parsing mechanism of the configuration file is quite basic. All the lines are split using the sdssplitargs function of the sds (string management) library. This function interprets specific sequence of characters such as:

• single and double quotes
• \x hex digits
• special characters such as \n, \r, \t, \b, \a

Here the problem is your password contains a single double quote character. The parsing fails because there is no matching double quote at the end of the string. In that case, the sdssplitargs function returns a NULL pointer. The core dump occurs because this pointer is not properly checked in the config.c code:

    /* Split into arguments */
    argv = sdssplitargs(lines[i],&argc);
    sdstolower(argv[0]);

This is a bug that should be filed IMO.

A simple workaround would be to replace the double quote character or any other interpreted characters by an hexadecimal sequence (ie. \x22 for the double quote).