[SERVER-10898] Passwords should be canonicalized according to unicode canonicalization NFC Created: 25/Sep/13 Updated: 06/Dec/22 Resolved: 13/Apr/18 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Improvement | Priority: | Major - P3 |
| Reporter: | Andy Schwerin | Assignee: | Backlog - Security Team |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||
| Assigned Teams: |
Server Security
|
||||||||||||
| Participants: | |||||||||||||
| Description |
|
Similar to SERVER-10897, if drivers and the server don't engage in some canonicalization process for passwords, there is a strong risk for mismatches when the input device used by the end user produces a different encoding of a multi-code-point character, or a character that has multiple code point representations (a.k.a, greek capital omega and the Ohm symbol). |
| Comments |
| Comment by Andrew Morrow (Inactive) [ 13/Apr/18 ] |
|
This issue was resolved while working on other facets of the SCRAM-SHA-256. We are using SASLPrep for passwords. No additional work is required, closing as 'gone away'. |
| Comment by David Golden [ 21/Feb/18 ] |
|
As SCRAM specifies using SASLprep, which is normalization form NFKC, should this and SERVER-10897 be changed to NFKC instead? |