From 70ca0d1a396b70b33332fd3a28121a1701d4c8ff Mon Sep 17 00:00:00 2001 From: Luke Taylor Date: Tue, 14 Jun 2011 17:42:59 +0100 Subject: [PATCH] SEC-1764: Ensure password encoders use UTF-8 charset when creating strings from byte arrays. --- .../encoding/LdapShaPasswordEncoder.java | 8 ++++---- .../authentication/encoding/Md4PasswordEncoder.java | 7 ++++--- .../encoding/MessageDigestPasswordEncoder.java | 11 ++++++----- 3 files changed, 14 insertions(+), 12 deletions(-) diff --git a/core/src/main/java/org/springframework/security/authentication/encoding/LdapShaPasswordEncoder.java b/core/src/main/java/org/springframework/security/authentication/encoding/LdapShaPasswordEncoder.java index f349df9c96..4a06574a85 100644 --- a/core/src/main/java/org/springframework/security/authentication/encoding/LdapShaPasswordEncoder.java +++ b/core/src/main/java/org/springframework/security/authentication/encoding/LdapShaPasswordEncoder.java @@ -16,12 +16,12 @@ package org.springframework.security.authentication.encoding; -import java.io.UnsupportedEncodingException; -import java.security.MessageDigest; - import org.springframework.security.core.codec.Base64; +import org.springframework.security.core.codec.Utf8; import org.springframework.util.Assert; +import java.io.UnsupportedEncodingException; +import java.security.MessageDigest; /** * A version of {@link ShaPasswordEncoder} which supports Ldap SHA and SSHA (salted-SHA) encodings. The values are @@ -101,7 +101,7 @@ public class LdapShaPasswordEncoder implements PasswordEncoder { prefix = forceLowerCasePrefix ? SSHA_PREFIX_LC : SSHA_PREFIX; } - return prefix + new String(Base64.encode(hash)); + return prefix + Utf8.decode(Base64.encode(hash)); } private byte[] extractSalt(String encPass) { diff --git a/core/src/main/java/org/springframework/security/authentication/encoding/Md4PasswordEncoder.java b/core/src/main/java/org/springframework/security/authentication/encoding/Md4PasswordEncoder.java index bb2751c7dc..d2b564d374 100644 --- a/core/src/main/java/org/springframework/security/authentication/encoding/Md4PasswordEncoder.java +++ b/core/src/main/java/org/springframework/security/authentication/encoding/Md4PasswordEncoder.java @@ -14,10 +14,11 @@ */ package org.springframework.security.authentication.encoding; -import java.io.UnsupportedEncodingException; - import org.springframework.security.core.codec.Base64; import org.springframework.security.core.codec.Hex; +import org.springframework.security.core.codec.Utf8; + +import java.io.UnsupportedEncodingException; /** * MD4 implementation of PasswordEncoder. @@ -60,7 +61,7 @@ public class Md4PasswordEncoder extends BaseDigestPasswordEncoder { byte[] resBuf = md4.digest(); if (getEncodeHashAsBase64()) { - return new String(Base64.encode(resBuf)); + return Utf8.decode(Base64.encode(resBuf)); } else { return new String(Hex.encode(resBuf)); } diff --git a/core/src/main/java/org/springframework/security/authentication/encoding/MessageDigestPasswordEncoder.java b/core/src/main/java/org/springframework/security/authentication/encoding/MessageDigestPasswordEncoder.java index 86f08d08ff..78469fd392 100644 --- a/core/src/main/java/org/springframework/security/authentication/encoding/MessageDigestPasswordEncoder.java +++ b/core/src/main/java/org/springframework/security/authentication/encoding/MessageDigestPasswordEncoder.java @@ -1,13 +1,14 @@ package org.springframework.security.authentication.encoding; +import org.springframework.security.core.codec.Base64; +import org.springframework.security.core.codec.Hex; +import org.springframework.security.core.codec.Utf8; +import org.springframework.util.Assert; + import java.io.UnsupportedEncodingException; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; -import org.springframework.security.core.codec.Base64; -import org.springframework.security.core.codec.Hex; -import org.springframework.util.Assert; - /** * Base for digest password encoders. *

@@ -92,7 +93,7 @@ public class MessageDigestPasswordEncoder extends BaseDigestPasswordEncoder { } if (getEncodeHashAsBase64()) { - return new String(Base64.encode(digest)); + return Utf8.decode(Base64.encode(digest)); } else { return new String(Hex.encode(digest)); }