bug CS-14663: accepting encoded password for MD5

2012-04-28 12:28:44 +05:30 · 2012-04-28 12:28:44 +05:30 · 98b93aeaa6
parent 883a0f1bd9
commit 98b93aeaa6
2 changed files with 6 additions and 8 deletions
--- a/server/src/com/cloud/server/auth/MD5UserAuthenticator.java
+++ b/server/src/com/cloud/server/auth/MD5UserAuthenticator.java
@ -11,10 +11,7 @@
 // 
 // Automatically generated by addcopyright.py at 04/02/2012
 package com.cloud.server.auth;
-
-import java.math.BigInteger;
-import java.security.MessageDigest;
-import java.security.NoSuchAlgorithmException;
+
 import java.util.Map;

 import javax.ejb.Local;
@ -26,7 +23,6 @@ import com.cloud.server.ManagementServer;
 import com.cloud.user.UserAccount;
 import com.cloud.user.dao.UserAccountDao;
 import com.cloud.utils.component.ComponentLocator;
-import com.cloud.utils.exception.CloudRuntimeException;

 /**
 * Simple UserAuthenticator that performs a MD5 hash of the password before 
@ -50,7 +46,8 @@ public class MD5UserAuthenticator extends DefaultUserAuthenticator {
            s_logger.debug("Unable to find user with " + username + " in domain " + domainId);
            return false;
        }
-        
+        
+        /**
        MessageDigest md5;
        try {
            md5 = MessageDigest.getInstance("MD5");
@ -68,12 +65,13 @@ public class MD5UserAuthenticator extends DefaultUserAuthenticator {
            sb.append('0');
        }
        sb.append(pwStr);
+        **/
        
        // Will: The MD5Authenticator is now a straight pass-through comparison of the
        // the passwords because we will not assume that the password passed in has
        // already been MD5 hashed.  I am keeping the above code in case this requirement changes
        // or people need examples of how to MD5 hash passwords in java.
-        if (!user.getPassword().equals(sb.toString())) {
+        if (!user.getPassword().equals(password)) {
            s_logger.debug("Password does not match");
            return false;
        }
--- a/ui/scripts/sharedFunctions.js
+++ b/ui/scripts/sharedFunctions.js
@ -33,7 +33,7 @@ var ERROR_VMOPS_ACCOUNT_ERROR = 531;

 // Default password is MD5 hashed.  Set the following variable to false to disable this.
 var md5Hashed = true;
-var md5HashedLogin = false;
+var md5HashedLogin = true;

 //page size for API call (e.g."listXXXXXXX&pagesize=N" )
 var pageSize = 20;