SEC-1031: LdapShaPasswordEncoder.isPasswordValid startOfHash off by one #1282

Closed
spring-issuemaster opened this Issue Nov 11, 2008 · 1 comment

1 participant

@spring-issuemaster

Tom Leccese (Migrated from SEC-1031) said:

in LdapShaPasswordEncoder.isPasswordValid the startOfHash variable is initialized to prefix.length() + 1.
This causes the first character of the hash values to be skipped in the subsequent equals invocation.
Is there some (undocumented) reason that the first character of the hash is being skipped, or is this a bug?

Example:
encPass = “{SHA}nU4eI71bcnBGqeO0t9tXvY1u5oQ=”
rawPass = “pass”
prefix = “{SHA}”
startOfHash = 6 (should be 5: prefix.length())
encodedRawPass = “U4eI71bcnBGqeO0t9tXvY1u5oQ=” (should be “nU4eI71bcnBGqeO0t9tXvY1u5oQ=”)

@spring-issuemaster

Luke Taylor said:

Thanks for spotting this. I’ve made the fix in the trunk and 2.0.x maintenance branch.

@spring-issuemaster spring-issuemaster added this to the 3.0.0 M1 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment