in SimpleAuthenticator class. The problem is that ( ( String ) userPassword ).getBytes() may returns a wrong string if the password contains UTF-8 chars but the local encoding is not UTF-8 (W$ users, mainly, who use ISO-8859-1)
This line should be : userPassword = StringTools.getBytesUtf8( ( String ) userPassword );
Of course, the password *must* be contained in a UTF-8 file (server.xml must be declared as UTF-8 encoded)
Description
While stepping throgh the Bind code base, I saw that the password is compared using its byte[] representation :
userPassword = ( ( String ) userPassword ).getBytes();
...
credentialsMatch = ArrayUtils.isEquals( creds, userPassword );
in SimpleAuthenticator class. The problem is that ( ( String ) userPassword ).getBytes() may returns a wrong string if the password contains UTF-8 chars but the local encoding is not UTF-8 (W$ users, mainly, who use ISO-8859-1)
This line should be : userPassword = StringTools.getBytesUtf8( ( String ) userPassword );
Of course, the password *must* be contained in a UTF-8 file (server.xml must be declared as UTF-8 encoded)
We have the same probelm in getAlgorithmForHashedPassword method :
sPassword = new String( ( byte[] ) password ); is wrong, it should be
sPassword = StringTools.utf8ToString( ( byte[] ) password );
Emmanuel Lecharny added a comment - 21/Feb/06 08:28 AM We have the same probelm in getAlgorithmForHashedPassword method :
sPassword = new String( ( byte[] ) password ); is wrong, it should be
sPassword = StringTools.utf8ToString( ( byte[] ) password );
Bug
Closed
Major
<potential bug in password comparison
sPassword = new String( ( byte[] ) password ); is wrong, it should be
sPassword = StringTools.utf8ToString( ( byte[] ) password );