[
https://issues.apache.org/jira/browse/CODEC-182?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17869700#comment-17869700
]
Sebb commented on CODEC-182:
----------------------------
Crypt.crypt() delegates to Sha2Crypt, but it should at least ensure that the
correct Sha2Crypt method is chosen for the prefix.
The Sha2Crypt implementation currently requires the salt to include a valid
prefix, but does not check it for consistency with the method.
It might make sense to add such a check, and update the Javadoc to state the
actual requirements for the salt.
> Allow real salts in Sha2Crypt
> -----------------------------
>
> Key: CODEC-182
> URL: https://issues.apache.org/jira/browse/CODEC-182
> Project: Commons Codec
> Issue Type: Bug
> Affects Versions: 1.9
> Reporter: Felix Kaser
> Priority: Minor
>
> The javadoc for all the methods in Sha2Crypt clearly states to pass a "real
> salt" in as parameter, without prefix and without "rounds=...". But the crypt
> method first of all checks if the salt matches a regex pattern, which
> requires it to contain at least a leading $5$ or $6$, possibly a rounds=...
> and then the real salt.
> Imho either the javadoc should be adapted to tell developers which salt to
> pass in, or the crypt method should match the salt after adding the prefix
> itself.
> I am new to the apache commons community, so please correct me if I'm totally
> wrong here.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
