[jira] [Updated] (SHIRO-887) FormAuthenticationFilter trims passwords which start and/or end with one or more space character(s)

Sebastian Frey (Jira) Mon, 25 Jul 2022 02:22:08 -0700


     [ 
https://issues.apache.org/jira/browse/SHIRO-887?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Sebastian Frey updated SHIRO-887:
---------------------------------
    Description: 
The FormAuthenticationFilter trims passwords which start and/or end with one or 
more space character(s), which prevents login for users with such passwords.

Since spaces at the start and/or end of a password are totally legit, the 
password param should not be trimmed, when processed by the 
FormAuthenticationFilter.

The reason for that behavior is, that in the FormAuthenticationFilter WebUtils.
getCleanParam() is called, which than calls StringUtils.clean(), which trims 
passed strings.
 
If desired, I would prepare a PR to fix that behavior.

  was:
The FormAuthenticationFilter trims passwords which start and/or end with one or 
more space character(s).

Since spaces at the start and/or end of a password are totally legit, the 
password param should not be trimmed, when processed by the 
FormAuthenticationFilter.

The reason for that behavior is, that in the FormAuthenticationFilter WebUtils.
getCleanParam() is called, which than calls StringUtils.clean(), which trims 
passed strings.
 
If desired, I would prepare a PR to fix that behavior.


> FormAuthenticationFilter trims passwords which start and/or end with one or 
> more space character(s)
> ---------------------------------------------------------------------------------------------------
>
>                 Key: SHIRO-887
>                 URL: https://issues.apache.org/jira/browse/SHIRO-887
>             Project: Shiro
>          Issue Type: Bug
>    Affects Versions: 2.0.0, 1.9.1
>            Reporter: Sebastian Frey
>            Priority: Minor
>
> The FormAuthenticationFilter trims passwords which start and/or end with one 
> or more space character(s), which prevents login for users with such 
> passwords.
> Since spaces at the start and/or end of a password are totally legit, the 
> password param should not be trimmed, when processed by the 
> FormAuthenticationFilter.
> The reason for that behavior is, that in the FormAuthenticationFilter 
> WebUtils.
> getCleanParam() is called, which than calls StringUtils.clean(), which trims 
> passed strings.
>  
> If desired, I would prepare a PR to fix that behavior.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Updated] (SHIRO-887) FormAuthenticationFilter trims passwords which start and/or end with one or more space character(s)

Reply via email to