SEC-1031: LdapShaPasswordEncoder.isPasswordValid startOfHash off by one #1282

spring-issuemaster opened this Issue Nov 11, 2008 · 1 comment

1 participant


Tom Leccese (Migrated from SEC-1031) said:

in LdapShaPasswordEncoder.isPasswordValid the startOfHash variable is initialized to prefix.length() + 1.
This causes the first character of the hash values to be skipped in the subsequent equals invocation.
Is there some (undocumented) reason that the first character of the hash is being skipped, or is this a bug?

encPass = “{SHA}nU4eI71bcnBGqeO0t9tXvY1u5oQ=”
rawPass = “pass”
prefix = “{SHA}”
startOfHash = 6 (should be 5: prefix.length())
encodedRawPass = “U4eI71bcnBGqeO0t9tXvY1u5oQ=” (should be “nU4eI71bcnBGqeO0t9tXvY1u5oQ=”)


Luke Taylor said:

Thanks for spotting this. I’ve made the fix in the trunk and 2.0.x maintenance branch.

@spring-issuemaster spring-issuemaster added this to the 3.0.0 M1 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment