Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SEC-1031: LdapShaPasswordEncoder.isPasswordValid startOfHash off by one #1282

spring-issuemaster opened this Issue Nov 11, 2008 · 1 comment


None yet
1 participant

Tom Leccese(Migrated from SEC-1031) said:

in LdapShaPasswordEncoder.isPasswordValid the startOfHash variable is initialized to prefix.length() + 1.
This causes the first character of the hash values to be skipped in the subsequent equals invocation.
Is there some (undocumented) reason that the first character of the hash is being skipped, or is this a bug?

encPass = “{SHA}nU4eI71bcnBGqeO0t9tXvY1u5oQ=”
rawPass = “pass”
prefix = “{SHA}”
startOfHash = 6 (should be 5: prefix.length())
encodedRawPass = “U4eI71bcnBGqeO0t9tXvY1u5oQ=” (should be “nU4eI71bcnBGqeO0t9tXvY1u5oQ=”)

Luke Taylor said:

Thanks for spotting this. I’ve made the fix in the trunk and 2.0.x maintenance branch.

@spring-issuemaster spring-issuemaster added this to the 3.0.0 M1 milestone Feb 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment