Eclipse
/
jetty.project
mirror of https://github.com/jetty/jetty.project.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2968 from lachlan-roberts/jetty-9.4.x-2702-ArithmeticException-Credential 

Issue #2702 - ArithmeticException in Credential.stringEquals and .byteEquals
This commit is contained in:
Greg Wilkins 2018-10-18 16:54:16 +11:00 committed by GitHub
parent 932f1a7516 e727ad893d
commit 8b5d4c7e49
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 21 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
jetty-util/src/main/java/org/eclipse/jetty/util/security/Credential.java
View File

@ -105,7 +105,7 @@ public abstract class Credential implements Serializable
int l1 = known.length(); int l1 = known.length();
int l2 = unknown.length(); int l2 = unknown.length();
for (int i = 0; i < l2; ++i) for (int i = 0; i < l2; ++i)
result &= known.charAt(i%l1) == unknown.charAt(i); result &= ((l1==0)?unknown.charAt(l2-i-1):known.charAt(i%l1)) == unknown.charAt(i);
return result && l1 == l2; return result && l1 == l2;
} }
@ -127,7 +127,7 @@ public abstract class Credential implements Serializable
int l1 = known.length; int l1 = known.length;
int l2 = unknown.length; int l2 = unknown.length;
for (int i = 0; i < l2; ++i) for (int i = 0; i < l2; ++i)
result &= known[i%l1] == unknown[i]; result &= ((l1==0)?unknown[l2-i-1]:known[i%l1]) == unknown[i];
return result && l1 == l2; return result && l1 == l2;
} }

22
jetty-util/src/test/java/org/eclipse/jetty/util/security/CredentialTest.java
View File

@ -20,13 +20,13 @@
package org.eclipse.jetty.util.security; package org.eclipse.jetty.util.security;
import static org.junit.jupiter.api.Assertions.assertFalse;
import static org.junit.jupiter.api.Assertions.assertTrue;
import org.eclipse.jetty.util.security.Credential.Crypt; import org.eclipse.jetty.util.security.Credential.Crypt;
import org.eclipse.jetty.util.security.Credential.MD5; import org.eclipse.jetty.util.security.Credential.MD5;
import org.junit.jupiter.api.Test; import org.junit.jupiter.api.Test;
import static org.junit.jupiter.api.Assertions.assertFalse;
import static org.junit.jupiter.api.Assertions.assertTrue;
/** /**
* CredentialTest * CredentialTest
@ -94,4 +94,20 @@ public class CredentialTest
assertFalse(Credential.byteEquals("foo".getBytes(),"fo".getBytes())); assertFalse(Credential.byteEquals("foo".getBytes(),"fo".getBytes()));
assertFalse(Credential.byteEquals("foo".getBytes(),"bar".getBytes())); assertFalse(Credential.byteEquals("foo".getBytes(),"bar".getBytes()));
} }
@Test
public void testEmptyString()
{
assertFalse(Credential.stringEquals("fooo",""));
assertFalse(Credential.stringEquals("","fooo"));
assertTrue(Credential.stringEquals("",""));
}
@Test
public void testEmptyBytes()
{
assertFalse(Credential.byteEquals("fooo".getBytes(),"".getBytes()));
assertFalse(Credential.byteEquals("".getBytes(),"fooo".getBytes()));
assertTrue(Credential.byteEquals("".getBytes(),"".getBytes()));
}
} }