cassandra-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jeff Jirsa (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (CASSANDRA-13626) Check hashed password matches expected bcrypt hash format before checking
Date Thu, 31 Aug 2017 05:06:00 GMT

     [ https://issues.apache.org/jira/browse/CASSANDRA-13626?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Jeff Jirsa updated CASSANDRA-13626:
-----------------------------------
    Status: Ready to Commit  (was: Patch Available)

> Check hashed password matches expected bcrypt hash format before checking
> -------------------------------------------------------------------------
>
>                 Key: CASSANDRA-13626
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-13626
>             Project: Cassandra
>          Issue Type: Bug
>          Components: Auth
>            Reporter: Jeff Jirsa
>            Assignee: Jeff Jirsa
>            Priority: Minor
>             Fix For: 3.0.15, 3.11.1, 4.0
>
>
> We use {{Bcrypt.checkpw}} in the auth subsystem, but do a reasonably poor job of guaranteeing
that the hashed password we send to it is really a hashed password, and {{checkpw}} does an
even worse job of failing nicely. We should at least sanity check the hash complies with the
expected format prior to validating.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org


Mime
View raw message