Issue Details (XML | Word | Printable)

Key: SEC-754
Type: Bug Bug
Status: Closed Closed
Resolution: Fixed
Priority: Major Major
Assignee: Luke Taylor
Reporter: Cédrik LIME
Votes: 0
Watchers: 1
Operations

If you were logged in you would be able to see more operations.
Spring Security

Wrong byte array lenght used in Md4PasswordEncoder#encodePassword

Created: 07/Apr/08 06:09 AM   Updated: 07/Apr/08 10:03 AM
Component/s: Core
Affects Version/s: 2.0.0 RC1
Fix Version/s: 2.0.0

Time Tracking:
Original Estimate: 0.02d
Original Estimate - 0.02d
Remaining Estimate: 0.02d
Remaining Estimate - 0.02d
Time Spent: Not Specified
Remaining Estimate - 0.02d


 Description  « Hide
Part of patch for bug #SEC-728 has been incorrectly applied.

The line
md4.update(passBytes, 0, saltedPass.length());
should read
md4.update(passBytes, 0, passBytes.length());

The current (2.0RC1) version is incorrect, since the number of chars in an UTF-8 string is generally NOT equal to it number of bytes!

 All   Comments   Work Log   Change History   FishEye   Builds      Sort Order: Ascending order - Click to sort in descending order
[ Permlink | « Hide ]
Luke Taylor added a comment - 07/Apr/08 10:03 AM
I've made the correction and added some tests with chinese passwords.


Powered by a free Atlassian JIRA open source license for Spring Framework. Try JIRA - bug tracking software for your team.
Atlassian JIRA the Professional Issue Tracker. (Enterprise Edition, Version: 3.13.1-#333) - Bug/feature request - Atlassian news - Contact Administrators