Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Polish PasswordEncoderUtils do not leak length 

Fix possible / 0 if expected is empty String.

Issue gh-255
This commit is contained in:
Rob Winch 2016-10-24 12:50:11 -05:00
parent d3685d89c5
commit e62596f36d
2 changed files with 7 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
core/src/main/java/org/springframework/security/authentication/encoding/PasswordEncoderUtils.java
View File

@ -38,7 +38,7 @@ class PasswordEncoderUtils {
int result = expectedLength == actualLength ? 0 : 1; int result = expectedLength == actualLength ? 0 : 1;
for (int i = 0; i < actualLength; i++) { for (int i = 0; i < actualLength; i++) {
byte expectedByte = expectedBytes == null ? 0 : expectedBytes[i % expectedLength]; byte expectedByte = expectedLength <= 0 ? 0 : expectedBytes[i % expectedLength];
byte actualByte = actualBytes[i % actualLength]; byte actualByte = actualBytes[i % actualLength];
result |= expectedByte ^ actualByte; result |= expectedByte ^ actualByte;
} }

6
core/src/test/java/org/springframework/security/authentication/encoding/PasswordEncoderUtilsTests.java
View File

@ -47,6 +47,12 @@ public class PasswordEncoderUtilsTests {
assertThat(PasswordEncoderUtils.equals("", null)).isFalse(); assertThat(PasswordEncoderUtils.equals("", null)).isFalse();
} }
@Test
public void equalsWhenNotEmptyAndEmptyThenFalse() {
assertThat(PasswordEncoderUtils.equals("abc", "")).isFalse();
assertThat(PasswordEncoderUtils.equals("", "abc")).isFalse();
}
@Test @Test
public void equalsWhenEmtpyAndEmptyThenTrue() { public void equalsWhenEmtpyAndEmptyThenTrue() {
assertThat(PasswordEncoderUtils.equals("", "")).isTrue(); assertThat(PasswordEncoderUtils.equals("", "")).isTrue();