Spring Security
  1. Spring Security
  2. SEC-1031

LdapShaPasswordEncoder.isPasswordValid startOfHash off by one

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 2.0.4
    • Fix Version/s: 3.0.0 M1
    • Component/s: LDAP
    • Labels:
      None

      Description

      in LdapShaPasswordEncoder.isPasswordValid the startOfHash variable is initialized to prefix.length() + 1.
      This causes the first character of the hash values to be skipped in the subsequent equals invocation.
      Is there some (undocumented) reason that the first character of the hash is being skipped, or is this a bug?

      Example:
      encPass = "

      {SHA}nU4eI71bcnBGqeO0t9tXvY1u5oQ="
      rawPass = "pass"
      prefix = "{SHA}

      "
      startOfHash = 6 (should be 5: prefix.length())
      encodedRawPass = "U4eI71bcnBGqeO0t9tXvY1u5oQ=" (should be "nU4eI71bcnBGqeO0t9tXvY1u5oQ=")

        Activity

        Hide
        Luke Taylor added a comment -

        Thanks for spotting this. I've made the fix in the trunk and 2.0.x maintenance branch.

        Show
        Luke Taylor added a comment - Thanks for spotting this. I've made the fix in the trunk and 2.0.x maintenance branch.

          People

          • Assignee:
            Luke Taylor
            Reporter:
            Tom Leccese
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: