Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-07-08 19:42:48 +00:00
Code Issues Packages Projects Releases Wiki Activity

Polish PasswordEncoderUtils do not leak length

Browse Source 
Issue gh-255
This commit is contained in:
Rob Winch 2016-10-24 11:22:33 -05:00
parent a98389fa98
commit d3685d89c5
1 changed files with 6 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
core/src/main/java/org/springframework/security/authentication/encoding/PasswordEncoderUtils.java
View File

@ -33,18 +33,14 @@ class PasswordEncoderUtils {
static boolean equals(String expected, String actual) {
byte[] expectedBytes = bytesUtf8(expected);
byte[] actualBytes = bytesUtf8(actual);
int expectedLength = expectedBytes == null ? 0 : expectedBytes.length;
int actualLength = actualBytes == null ? 0 : actualBytes.length;
byte[] tmpBytes = new byte[1];
int result = (expectedLength != actualLength) ? 1 : 0;
tmpBytes[0] = (byte) 0xFF; // value is ignored, just initializing.
result |= ((expectedBytes == null && actualBytes != null) || (expectedBytes != null && actualBytes == null)) ? 1 : 0;
expectedBytes = (expectedBytes == null ? expectedBytes : tmpBytes);
int expectedLength = expectedBytes == null ? -1 : expectedBytes.length;
int actualLength = actualBytes == null ? -1 : actualBytes.length;
int result = expectedLength == actualLength ? 0 : 1;
for (int i = 0; i < actualLength; i++) {
result |= expectedBytes[i % (expectedLength!=0?expectedLength:1)] ^ actualBytes[i % actualLength];
byte expectedByte = expectedBytes == null ? 0 : expectedBytes[i % expectedLength];
byte actualByte = actualBytes[i % actualLength];
result |= expectedByte ^ actualByte;
}
return result == 0;
}