Bug #27623 leading 0 is stripped off md5sum for password
Submitted: 3 Apr 2007 18:52 Modified: 13 Apr 2007 12:43
Reporter: Matthew Lord Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Enterprise Monitor: Server Severity:S2 (Serious)
Version: OS:Any
Assigned to: Darren Oldag CPU Architecture:Any
Tags: Merlin, password

[3 Apr 2007 18:52] Matthew Lord 
Description:
If the md5sum of a user's password contains a leading 0 it is stripped.

How to repeat:
create a username password combo tester/rbablord5.

The correct md5sum is  09736a8436e10bf1991927f2ffc76c12 but the URL created
by /rest/merlin.php does not contain the leading 0.

Suggested fix:
Find out where the leading zero(s) are being stripped.
[5 Apr 2007 17:08] Jan Kneschke 
The server code to turn a md5-hash into a string is using BigInteger().toString() which strips leading zeros:

 String md5Hash(String toHash) {
         final MessageDigest md5 = getMD5digestInstance();
         final byte[] unhashed = toUTF8bytes(toHash);
         final byte[] hashed = md5.digest(unhashed);
         return new BigInteger(1, hashed).toString(16);
 }

A sprintf fixes the problem:

   return String.format("%032x", new BigInteger(1, hashed));
[10 Apr 2007 13:25] Darren Oldag 
fixed in trunk.  waiting for instruction to merge fix into 1.1.1 point release.
[13 Apr 2007 9:21] Carsten Segieth 
tested OK with 1.1.1.5099:

mysql> select * from users;
+---------+------------+----------------------------------+-----------+
| user_id | user_name  | user_pass                        | role_name |
+---------+------------+----------------------------------+-----------+
...
|       3 | tester     | 09736a8436e10bf1991927f2ffc76c12 | dba       |
+---------+------------+----------------------------------+-----------+
[13 Apr 2007 12:43] Peter Lavin 
Added to changelog.