SEC-1764: Ensure password encoders use UTF-8 charset when creating strings from byte arrays.

2025-06-27 06:12:27 +00:00 · 2011-06-14 17:42:59 +01:00 · 2011-06-14 17:42:59 +01:00 · 70ca0d1a39
commit 70ca0d1a39
parent 7a5a062cd0
3 changed files with 14 additions and 12 deletions
--- a/core/src/main/java/org/springframework/security/authentication/encoding/LdapShaPasswordEncoder.java
+++ b/core/src/main/java/org/springframework/security/authentication/encoding/LdapShaPasswordEncoder.java
@ -16,12 +16,12 @@
 package org.springframework.security.authentication.encoding;


-import java.io.UnsupportedEncodingException;
-import java.security.MessageDigest;
-
 import org.springframework.security.core.codec.Base64;
+import org.springframework.security.core.codec.Utf8;
 import org.springframework.util.Assert;

+import java.io.UnsupportedEncodingException;
+import java.security.MessageDigest;

 /**
 * A version of {@link ShaPasswordEncoder} which supports Ldap SHA and SSHA (salted-SHA) encodings. The values are
@ -101,7 +101,7 @@ public class LdapShaPasswordEncoder implements PasswordEncoder {
            prefix = forceLowerCasePrefix ? SSHA_PREFIX_LC : SSHA_PREFIX;
        }

-        return prefix + new String(Base64.encode(hash));
+        return prefix + Utf8.decode(Base64.encode(hash));
    }

    private byte[] extractSalt(String encPass) {
--- a/core/src/main/java/org/springframework/security/authentication/encoding/Md4PasswordEncoder.java
+++ b/core/src/main/java/org/springframework/security/authentication/encoding/Md4PasswordEncoder.java
@ -14,10 +14,11 @@
 */
 package org.springframework.security.authentication.encoding;

-import java.io.UnsupportedEncodingException;
-
 import org.springframework.security.core.codec.Base64;
 import org.springframework.security.core.codec.Hex;
+import org.springframework.security.core.codec.Utf8;
+
+import java.io.UnsupportedEncodingException;

 /**
 * MD4 implementation of PasswordEncoder.
@ -60,7 +61,7 @@ public class Md4PasswordEncoder extends BaseDigestPasswordEncoder {
        byte[] resBuf = md4.digest();

        if (getEncodeHashAsBase64()) {
-            return new String(Base64.encode(resBuf));
+            return Utf8.decode(Base64.encode(resBuf));
        } else {
            return new String(Hex.encode(resBuf));
        }
--- a/core/src/main/java/org/springframework/security/authentication/encoding/MessageDigestPasswordEncoder.java
+++ b/core/src/main/java/org/springframework/security/authentication/encoding/MessageDigestPasswordEncoder.java
@ -1,13 +1,14 @@
 package org.springframework.security.authentication.encoding;

+import org.springframework.security.core.codec.Base64;
+import org.springframework.security.core.codec.Hex;
+import org.springframework.security.core.codec.Utf8;
+import org.springframework.util.Assert;
+
 import java.io.UnsupportedEncodingException;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;

-import org.springframework.security.core.codec.Base64;
-import org.springframework.security.core.codec.Hex;
-import org.springframework.util.Assert;
-
 /**
 * Base for digest password encoders.
 * <p>
@ -92,7 +93,7 @@ public class MessageDigestPasswordEncoder extends BaseDigestPasswordEncoder {
        }

        if (getEncodeHashAsBase64()) {
-            return new String(Base64.encode(digest));
+            return Utf8.decode(Base64.encode(digest));
        } else {
            return new String(Hex.encode(digest));
        }