You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jackrabbit.apache.org by "Nicholas Stuart (JIRA)" <ji...@apache.org> on 2010/02/08 21:39:28 UTC
[jira] Updated: (JCR-2489) CryptedSimpleCredentials uses .matches
on userid for equality test
[ https://issues.apache.org/jira/browse/JCR-2489?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Nicholas Stuart updated JCR-2489:
---------------------------------
Status: Patch Available (was: Open)
Index: src/main/java/org/apache/jackrabbit/core/security/authentication/CryptedSimpleCredentials.java
===================================================================
--- src/main/java/org/apache/jackrabbit/core/security/authentication/CryptedSimpleCredentials.java (revision 907000)
+++ src/main/java/org/apache/jackrabbit/core/security/authentication/CryptedSimpleCredentials.java (working copy)
@@ -126,7 +126,7 @@
public boolean matches(SimpleCredentials credentials)
throws NoSuchAlgorithmException, UnsupportedEncodingException {
- if (getUserID().matches(credentials.getUserID())) {
+ if (getUserID().equals(credentials.getUserID())) {
String toMatch = new String(credentials.getPassword());
String algr = getAlgorithm(toMatch);
> CryptedSimpleCredentials uses .matches on userid for equality test
> ------------------------------------------------------------------
>
> Key: JCR-2489
> URL: https://issues.apache.org/jira/browse/JCR-2489
> Project: Jackrabbit Content Repository
> Issue Type: Bug
> Components: jackrabbit-core
> Affects Versions: 1.5.7
> Reporter: Nicholas Stuart
>
> CryptedSimpleCredentials use getUserId().matches(cred.getUserId()) to match the userID values, but this uses a regex so it's kind of dangerous to have this here, and actually fails if say, the username has a + in it.
> Is there a reason why .equals() is not used?
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.