http://bugzilla.novell.com/show_bug.cgi?id=538406
User [email protected] added comment http://bugzilla.novell.com/show_bug.cgi?id=538406#c7 Sebastien Pouliot <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO CC| |[email protected], | |[email protected] Info Provider| |[email protected] --- Comment #7 from Sebastien Pouliot <[email protected]> 2009-09-14 07:20:21 MDT --- So the current code does not work (you probably guessed that ;-) because it's not really symmetric. The encryption provides an IV (which should not be based on the password) while the decryption does not provide it. The decryption also truncates the data (to remove the "IV garbage") which indicates it's likely the author did not knew what an IV is (or how it's used). AFAICT this got broke in r67374 - but that revision was good in the sense that it implemented the right methods (i.e. the protected [Encrypt|Decrypt]Password) http://anonsvn.mono-project.com/viewvc/trunk/mcs/class/System.Web/System.Web.Security/MembershipProvider.cs?r1=60240&r2=67374 As to fix this well there's no way to do it in a backward compatible way. OTOH I don't think anyone can have a working site that depends on our code[1] [1] likely because most MembershipProvider implementation override the base methods. Marek & Gonzalo: Do you know anyone that could (really) depend on the existing code ? or that you want to contact/ask before this is fixed correctly ? -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA contact for the bug. _______________________________________________ mono-bugs maillist - [email protected] http://lists.ximian.com/mailman/listinfo/mono-bugs
