|
If you were logged in you would be able to see more operations.
|
|
|
| Resolution Date: |
16/Aug/06 09:13 PM
|
|
While stepping throgh the Bind code base, I saw that the password is compared using its byte[] representation :
userPassword = ( ( String ) userPassword ).getBytes();
...
credentialsMatch = ArrayUtils.isEquals( creds, userPassword );
in SimpleAuthenticator class. The problem is that ( ( String ) userPassword ).getBytes() may returns a wrong string if the password contains UTF-8 chars but the local encoding is not UTF-8 (W$ users, mainly, who use ISO-8859-1)
This line should be : userPassword = StringTools.getBytesUtf8( ( String ) userPassword );
Of course, the password *must* be contained in a UTF-8 file (server.xml must be declared as UTF-8 encoded)
|
|
Description
|
While stepping throgh the Bind code base, I saw that the password is compared using its byte[] representation :
userPassword = ( ( String ) userPassword ).getBytes();
...
credentialsMatch = ArrayUtils.isEquals( creds, userPassword );
in SimpleAuthenticator class. The problem is that ( ( String ) userPassword ).getBytes() may returns a wrong string if the password contains UTF-8 chars but the local encoding is not UTF-8 (W$ users, mainly, who use ISO-8859-1)
This line should be : userPassword = StringTools.getBytesUtf8( ( String ) userPassword );
Of course, the password *must* be contained in a UTF-8 file (server.xml must be declared as UTF-8 encoded) |
Show » |
|
Bug
Closed
Major
<potential bug in password comparison
sPassword = new String( ( byte[] ) password ); is wrong, it should be
sPassword = StringTools.utf8ToString( ( byte[] ) password );