Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
2.4.104, 2.5.139-beta
-
None
Description
AbstractUserDatabase.getHash():
MessageDigest md = MessageDigest.getInstance( "SHA" ); md.update( text.getBytes() ); byte[] digestedBytes = md.digest();
Using text.getBytes() means that passwords outside of USASCII range are hashed with platforms default encoding. Which means that the userdatabase cannot be moved to another computer with a default different encoding.
Suggestion is to use UTF-8; that should be backwards compatible with the current case.