-
Bug
-
Resolution: Done
-
Minor
-
15.0.5.Final
-
None
If users.properties is in encrypted form, but there's an invalid entry it causes a StringIndexOutOfBoundsException instead of more clear error message.
Correct format (if it had a correct hash):
user=scram-sha-1\:aaaaaaaaaa;
Bad format:
user=aaaaaaaaa
The issue is in org.infinispan.server.security.realm.EncryptedPropertiesSecurityRealm#load.
int colon = password.indexOf(':'); PasswordFactory factory = getPasswordFactory(password.substring(0, colon));
It looks for a colon, but does not verify it actualy found one before calling substring with an invalid index.
It should check If colon == -1 and return a more descriptive error message.
- clones
-
JDG-6792 [GSS](8.4.z) StringIndexOutOfBoundsException if users.properties is malformed
- Verified