Posted by "Emmanuel Lecharny (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/jira/browse/DIRSERVER-582?page=comments#action_12367106 ]
Emmanuel Lecharny commented on DIRSERVER-582:
---------------------------------------------
We have the same probelm in getAlgorithmForHashedPassword method :
sPassword = new String( ( byte[] ) password ); is wrong, it should be
sPassword = StringTools.utf8ToString( ( byte[] ) password );
> <potential bug in password comparison
> -------------------------------------
>
> Key: DIRSERVER-582
> URL: http://issues.apache.org/jira/browse/DIRSERVER-582
> Project: Directory ApacheDS
> Type: Bug
> Versions: 1.0-RC2
> Reporter: Emmanuel Lecharny
>
> While stepping throgh the Bind code base, I saw that the password is compared using its byte[] representation :
> userPassword = ( ( String ) userPassword ).getBytes();
> ...
> credentialsMatch = ArrayUtils.isEquals( creds, userPassword );
> in SimpleAuthenticator class. The problem is that ( ( String ) userPassword ).getBytes() may returns a wrong string if the password contains UTF-8 chars but the local encoding is not UTF-8 (W$ users, mainly, who use ISO-8859-1)
> This line should be : userPassword = StringTools.getBytesUtf8( ( String ) userPassword );
> Of course, the password *must* be contained in a UTF-8 file (server.xml must be declared as UTF-8 encoded)
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Closed: (DIRSERVER-582)
Posted by "Emmanuel Lecharny (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/jira/browse/DIRSERVER-582?page=all ]
Emmanuel Lecharny closed DIRSERVER-582.
---------------------------------------
Resolution: Fixed
Fixed in 1.0-trunks and in 1.1-truks : revision 432037 & 432038
> <potential bug in password comparison
> -------------------------------------
>
> Key: DIRSERVER-582
> URL: http://issues.apache.org/jira/browse/DIRSERVER-582
> Project: Directory ApacheDS
> Issue Type: Bug
> Affects Versions: 1.0-RC2
> Reporter: Emmanuel Lecharny
> Assigned To: Emmanuel Lecharny
>
> While stepping throgh the Bind code base, I saw that the password is compared using its byte[] representation :
> userPassword = ( ( String ) userPassword ).getBytes();
> ...
> credentialsMatch = ArrayUtils.isEquals( creds, userPassword );
> in SimpleAuthenticator class. The problem is that ( ( String ) userPassword ).getBytes() may returns a wrong string if the password contains UTF-8 chars but the local encoding is not UTF-8 (W$ users, mainly, who use ISO-8859-1)
> This line should be : userPassword = StringTools.getBytesUtf8( ( String ) userPassword );
> Of course, the password *must* be contained in a UTF-8 file (server.xml must be declared as UTF-8 encoded)
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira