Add extra salt length check for BCrypt
If the salt length is 28 characters and the version is 2{a,x,y}, an IndexOutOfBoundsException is thrown. This commit adds an extra check that the salt length should be at least 29 characters long if the version is not equal to "2". Fixes: gh-6907
This commit is contained in:
parent
10a7af2d53
commit
d2248d185b
|
@ -780,6 +780,10 @@ public class BCrypt {
|
||||||
// Extract number of rounds
|
// Extract number of rounds
|
||||||
if (salt.charAt(off + 2) > '$')
|
if (salt.charAt(off + 2) > '$')
|
||||||
throw new IllegalArgumentException ("Missing salt rounds");
|
throw new IllegalArgumentException ("Missing salt rounds");
|
||||||
|
|
||||||
|
if (off == 4 && saltLength < 29) {
|
||||||
|
throw new IllegalArgumentException("Invalid salt");
|
||||||
|
}
|
||||||
rounds = Integer.parseInt(salt.substring(off, off + 2));
|
rounds = Integer.parseInt(salt.substring(off, off + 2));
|
||||||
|
|
||||||
real_salt = salt.substring(off + 3, off + 25);
|
real_salt = salt.substring(off + 3, off + 25);
|
||||||
|
|
|
@ -338,6 +338,11 @@ public class BCryptTests {
|
||||||
"$2$05$......................bvpG2UfzdyW/S0ny/4YyEZrmczoJfVm");
|
"$2$05$......................bvpG2UfzdyW/S0ny/4YyEZrmczoJfVm");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test(expected = IllegalArgumentException.class)
|
||||||
|
public void hashpwFailsWhenSaltIsTooShort() {
|
||||||
|
BCrypt.hashpw("password", "$2a$10$123456789012345678901");
|
||||||
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void equalsOnStringsIsCorrect() {
|
public void equalsOnStringsIsCorrect() {
|
||||||
assertThat(BCrypt.equalsNoEarlyReturn("", "")).isTrue();
|
assertThat(BCrypt.equalsNoEarlyReturn("", "")).isTrue();
|
||||||
|
|
Loading…
Reference in New Issue