readrops
[Bug] ApiUtils.md5hash discards leading 0s on hash (AKA: login failures via Fever integration)
Describe the bug
When a user happens to be unlucky enough to have Fever credentials where the username + ":" + password happen to result in an MD5 hash with leading zeros, they are unable to log in via the Readrops app.
After a bit of digging, this seems to be because of an incorrect hash implementation in ApiUtils.md5hash:
https://github.com/readrops/Readrops/blob/9ebbe038d0b1357be1a3713dd3222f51820c7f45/api/src/main/java/com/readrops/api/utils/ApiUtils.kt#L47-L51)
It turns out that BigInteger.toString(16) doesn't preserve leading zeros, so an invalid API key is generated, and the user cannot login.
I believe the following diff would fix it, but I'm not familiar with Kotlin, but it works in this kotlin playground example:
diff --git a/api/src/main/java/com/readrops/api/utils/ApiUtils.kt b/api/src/main/java/com/readrops/api/utils/ApiUtils.kt
index c879c56a..52d0b931 100644
--- a/api/src/main/java/com/readrops/api/utils/ApiUtils.kt
+++ b/api/src/main/java/com/readrops/api/utils/ApiUtils.kt
@@ -48,7 +48,7 @@ object ApiUtils {
val bytes = MessageDigest.getInstance("MD5")
.digest(value.toByteArray())
- return BigInteger(1, bytes).toString(16)
+ return BigInteger(1, bytes).toString(16).padStart(32, '0')
}
fun handleRssSpecialCases(url: String): String {
To Reproduce Steps to reproduce the behavior:
- Create a set of Fever credentials in Miniflux that result in a hash with leading zeros (eg:
user4013:pass4013which hashes to0003296c0fa9a2bad56701b3fff82f21 - Attempt to set up a new Fever account in Readrops with the same credentials
- Clicking validate will fail
- See error
Expected behavior
I expect to be able to log in
Environment information (please complete the following information):
- Account type: Fever (via Miniflux, in my case)
- App version: 2.1.1
- Android version: Android 16
- Device type: Pixel 8a
- Store: F-Droid
Additional context Add any other context about the problem here.
