Simon Levermann created CODEC-245:
Summary: RegEx for verifying salts in ShaCrypt is incorrect
Project: Commons Codec
Issue Type: Bug
Affects Versions: 1.11
Reporter: Simon Levermann
The regex/code that extracts the salt from a given salt string in Sha2Crypt
treats some invalid salt formats as valid:
The code then goes on to use capture group 3 (the round count) to determine how
many rounds are used, and capture group 4 (the actual salt) to use as salt data.
However, for an input that contains an invalid salt specification like this:
This string is treated as valid. The operation then uses "notrounds" as the
salt for hashing:
The above code prints
This code should probably throw an exceptions. Additionally, other invalid salt
Result in hashes like:
Completely ignoring the rounds parameter, and using the literal string "rounds"
as the salt for hashing.
This message was sent by Atlassian JIRA