You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi! We've seen the fix on https://github.com/networknt/light-4j/blob/master/config/src/main/java/com/networknt/config/yml/YmlConstants.java has been reverted, and the constant used for the regex to match encrypted passwords is now way more restrictive than it used to be.
It used to be like: public static final Pattern CRYPT_PATTERN = Pattern.compile("^CRYPT:([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{4}|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{2}==)?$");
And now it's like: public static final Pattern CRYPT_PATTERN = Pattern.compile("CRYPT:[a-zA-Z0-9:]+");
The consequence is all the passwords already in place cannot be decrypted, as they don't match this new regex. This change was fixed in https://github.com/networknt/light-4j/issues/1825 to solve the issue, but it has been reverted. Could it be that was reverted by mistake?
Many thanks in advance
The text was updated successfully, but these errors were encountered:
CRYPT regexp in YmlConstants has been adapted only to allow AES alike passwords, rendering all previous passwords no longer valid. This regex also invalidates the possibility of using customised Decryptors.
CRYPT regexp in YmlConstants has been adapted only to allow AES alike passwords, rendering all previous passwords no longer valid. This regex also invalidates the possibility of using customised Decryptors.
younggwon1
pushed a commit
to younggwon1/light-4j
that referenced
this issue
Feb 10, 2024
CRYPT regexp in YmlConstants has been adapted only to allow AES alike passwords, rendering all previous passwords no longer valid. This regex also invalidates the possibility of using customised Decryptors.
Hi! We've seen the fix on https://github.com/networknt/light-4j/blob/master/config/src/main/java/com/networknt/config/yml/YmlConstants.java has been reverted, and the constant used for the regex to match encrypted passwords is now way more restrictive than it used to be.
It used to be like:
public static final Pattern CRYPT_PATTERN = Pattern.compile("^CRYPT:([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{4}|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{2}==)?$");
And now it's like:
public static final Pattern CRYPT_PATTERN = Pattern.compile("CRYPT:[a-zA-Z0-9:]+");
The consequence is all the passwords already in place cannot be decrypted, as they don't match this new regex. This change was fixed in https://github.com/networknt/light-4j/issues/1825 to solve the issue, but it has been reverted. Could it be that was reverted by mistake?
Many thanks in advance
The text was updated successfully, but these errors were encountered: