Simon Levermann created CODEC-245:

             Summary: RegEx for verifying salts in ShaCrypt is incorrect
                 Key: CODEC-245
             Project: Commons Codec
          Issue Type: Bug
    Affects Versions: 1.11
            Reporter: Simon Levermann

The regex/code that extracts the salt from a given salt string in Sha2Crypt 
treats some invalid salt formats as valid:
The code then goes on to use capture group 3 (the round count) to determine how 
many rounds are used, and capture group 4 (the actual salt) to use as salt data.

However, for an input that contains an invalid salt specification like this:
This string is treated as valid. The operation then uses "notrounds" as the 
salt for hashing:
System.out.println(Sha2Crypt.sha256Crypt(new byte[100], 
The above code prints
This code should probably throw an exceptions. Additionally, other invalid salt 
strings like

Result in hashes like:
Completely ignoring the rounds parameter, and using the literal string "rounds" 
as the salt for hashing.


This message was sent by Atlassian JIRA

Reply via email to