Polish PasswordEncoderUtils do not leak length

Fix possible / 0 if expected is empty String. Issue gh-255
2016-10-24 12:50:11 -05:00 · 2016-10-24 12:50:11 -05:00 · e62596f36d
parent d3685d89c5
commit e62596f36d
2 changed files with 7 additions and 1 deletions
--- a/core/src/main/java/org/springframework/security/authentication/encoding/PasswordEncoderUtils.java
+++ b/core/src/main/java/org/springframework/security/authentication/encoding/PasswordEncoderUtils.java
@ -38,7 +38,7 @@ class PasswordEncoderUtils {

 		int result = expectedLength == actualLength ? 0 : 1;
 		for (int i = 0; i < actualLength; i++) {
-			byte expectedByte = expectedBytes == null ? 0 : expectedBytes[i % expectedLength];
+			byte expectedByte = expectedLength <= 0 ? 0 : expectedBytes[i % expectedLength];
 			byte actualByte = actualBytes[i % actualLength];
 			result |= expectedByte ^ actualByte;
 		}
--- a/core/src/test/java/org/springframework/security/authentication/encoding/PasswordEncoderUtilsTests.java
+++ b/core/src/test/java/org/springframework/security/authentication/encoding/PasswordEncoderUtilsTests.java
@ -47,6 +47,12 @@ public class PasswordEncoderUtilsTests {
 		assertThat(PasswordEncoderUtils.equals("", null)).isFalse();
 	}

+	@Test
+	public void equalsWhenNotEmptyAndEmptyThenFalse() {
+		assertThat(PasswordEncoderUtils.equals("abc", "")).isFalse();
+		assertThat(PasswordEncoderUtils.equals("", "abc")).isFalse();
+	}
+
 	@Test
 	public void equalsWhenEmtpyAndEmptyThenTrue() {
 		assertThat(PasswordEncoderUtils.equals("", "")).isTrue();