Uploaded image for project: 'Spring Security'
  1. Spring Security
  2. SEC-1031

LdapShaPasswordEncoder.isPasswordValid startOfHash off by one

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.0.4
    • Fix Version/s: 3.0.0 M1
    • Component/s: LDAP
    • Labels:
      None

      Description

      in LdapShaPasswordEncoder.isPasswordValid the startOfHash variable is initialized to prefix.length() + 1.
      This causes the first character of the hash values to be skipped in the subsequent equals invocation.
      Is there some (undocumented) reason that the first character of the hash is being skipped, or is this a bug?

      Example:
      encPass = "

      {SHA}nU4eI71bcnBGqeO0t9tXvY1u5oQ="
      rawPass = "pass"
      prefix = "{SHA}

      "
      startOfHash = 6 (should be 5: prefix.length())
      encodedRawPass = "U4eI71bcnBGqeO0t9tXvY1u5oQ=" (should be "nU4eI71bcnBGqeO0t9tXvY1u5oQ=")

        Activity

        Hide
        luke Luke Taylor added a comment -

        Thanks for spotting this. I've made the fix in the trunk and 2.0.x maintenance branch.

        Show
        luke Luke Taylor added a comment - Thanks for spotting this. I've made the fix in the trunk and 2.0.x maintenance branch.

          People

          • Assignee:
            luke Luke Taylor
            Reporter:
            tleccese Tom Leccese
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: