Password hash is calculated using platform default encoding
-----------------------------------------------------------
Key: JSPWIKI-21
URL: https://issues.apache.org/jira/browse/JSPWIKI-21
Project: JSPWiki
Issue Type: Bug
Components: Security
Affects Versions: 2.4.104, 2.5.139-beta
Reporter: Janne Jalkanen
AbstractUserDatabase.getHash():
{code}
MessageDigest md = MessageDigest.getInstance( "SHA" );
md.update( text.getBytes() );
byte[] digestedBytes = md.digest();
{code}
Using text.getBytes() means that passwords outside of USASCII range are hashed
with platforms default encoding. Which means that the userdatabase cannot be
moved to another computer with a default different encoding.
Suggestion is to use UTF-8; that should be backwards compatible with the
current case.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
