[
https://issues.apache.org/jira/browse/CODEC-182?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17895006#comment-17895006
]
Gary D. Gregory commented on CODEC-182:
---------------------------------------
Hi [~sebb]
Where are we on this issue?
I think we should drop the mention of "real salt" from the Javadoc which [PR
301|https://github.com/apache/commons-codec/pull/301] does since there is no
way we can verify a salt is actually unique random data for whatever the
application context might be. The same applies to our `Md5Crypt` class it seems
which also talks about using a "real salt".
Step 1: Update the Javadoc for `Sha2Crypt` and `Md5Crypt`. Let's get that in
git.
Step 2: Consider behavioral changes.
What do you all think?
CC [~kaserf]
> Allow real salts in Sha2Crypt
> -----------------------------
>
> Key: CODEC-182
> URL: https://issues.apache.org/jira/browse/CODEC-182
> Project: Commons Codec
> Issue Type: Bug
> Affects Versions: 1.9
> Reporter: Felix Kaser
> Priority: Minor
>
> The javadoc for all the methods in Sha2Crypt clearly states to pass a "real
> salt" in as parameter, without prefix and without "rounds=...". But the crypt
> method first of all checks if the salt matches a regex pattern, which
> requires it to contain at least a leading $5$ or $6$, possibly a rounds=...
> and then the real salt.
> Imho either the javadoc should be adapted to tell developers which salt to
> pass in, or the crypt method should match the salt after adding the prefix
> itself.
> I am new to the apache commons community, so please correct me if I'm totally
> wrong here.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
