<potential bug in password comparison
-------------------------------------
Key: DIRSERVER-582
URL: http://issues.apache.org/jira/browse/DIRSERVER-582
Project: Directory ApacheDS
Type: Bug
Versions: 1.0-RC2
Reporter: Emmanuel Lecharny
While stepping throgh the Bind code base, I saw that the password is compared
using its byte[] representation :
userPassword = ( ( String ) userPassword ).getBytes();
...
credentialsMatch = ArrayUtils.isEquals( creds, userPassword );
in SimpleAuthenticator class. The problem is that ( ( String ) userPassword
).getBytes() may returns a wrong string if the password contains UTF-8 chars
but the local encoding is not UTF-8 (W$ users, mainly, who use ISO-8859-1)
This line should be : userPassword = StringTools.getBytesUtf8( ( String )
userPassword );
Of course, the password *must* be contained in a UTF-8 file (server.xml must be
declared as UTF-8 encoded)
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
