directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Emmanuel Lecharny (JIRA)" <>
Subject [jira] Created: (DIRSERVER-582) <potential bug in password comparison
Date Mon, 20 Feb 2006 23:25:24 GMT
<potential bug in password comparison

         Key: DIRSERVER-582
     Project: Directory ApacheDS
        Type: Bug
    Versions: 1.0-RC2    
    Reporter: Emmanuel Lecharny

While stepping throgh the Bind code base, I saw that the password is compared using its byte[]
representation :

userPassword = ( ( String ) userPassword ).getBytes();
credentialsMatch = ArrayUtils.isEquals( creds, userPassword );

in SimpleAuthenticator class. The problem is that ( ( String ) userPassword ).getBytes() may
returns a wrong string if the password contains UTF-8 chars but the local encoding is not
UTF-8 (W$ users, mainly, who use ISO-8859-1)

This line should be : userPassword = StringTools.getBytesUtf8( ( String ) userPassword );

Of course, the password *must* be contained in a UTF-8 file (server.xml must be declared as
UTF-8 encoded)

This message is automatically generated by JIRA.
If you think it was sent incorrectly contact one of the administrators:
For more information on JIRA, see:

View raw message