[
https://issues.apache.org/jira/browse/JSPWIKI-21?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Janne Jalkanen resolved JSPWIKI-21.
-----------------------------------
Resolution: Fixed
Fix Version/s: 2.6.0
As of 2.5.157, UTF-8 is used to calculate the hash. Hopefully nobody's
passwords break.
> Password hash is calculated using platform default encoding
> -----------------------------------------------------------
>
> Key: JSPWIKI-21
> URL: https://issues.apache.org/jira/browse/JSPWIKI-21
> Project: JSPWiki
> Issue Type: Bug
> Components: Security
> Affects Versions: 2.4.104, 2.5.139-beta
> Reporter: Janne Jalkanen
> Fix For: 2.6.0
>
>
> AbstractUserDatabase.getHash():
> {code}
> MessageDigest md = MessageDigest.getInstance( "SHA" );
> md.update( text.getBytes() );
> byte[] digestedBytes = md.digest();
> {code}
> Using text.getBytes() means that passwords outside of USASCII range are
> hashed with platforms default encoding. Which means that the userdatabase
> cannot be moved to another computer with a default different encoding.
> Suggestion is to use UTF-8; that should be backwards compatible with the
> current case.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
