Eclipse
/
jetty.project
mirror of https://github.com/jetty/jetty.project.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fixes #2702 - ArithmeticException in Credential.stringEquals and .byteEquals 

Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
This commit is contained in:
Lachlan Roberts 2018-10-10 16:10:29 +11:00
parent 6b6036a21c
commit e727ad893d
2 changed files with 21 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
jetty-util/src/main/java/org/eclipse/jetty/util/security/Credential.java
View File

@ -105,7 +105,7 @@ public abstract class Credential implements Serializable
int l1 = known.length();
int l2 = unknown.length();
for (int i = 0; i < l2; ++i)
result &= known.charAt(i%l1) == unknown.charAt(i);
result &= ((l1==0)?unknown.charAt(l2-i-1):known.charAt(i%l1)) == unknown.charAt(i);
return result && l1 == l2;
}
@ -127,7 +127,7 @@ public abstract class Credential implements Serializable
int l1 = known.length;
int l2 = unknown.length;
for (int i = 0; i < l2; ++i)
result &= known[i%l1] == unknown[i];
result &= ((l1==0)?unknown[l2-i-1]:known[i%l1]) == unknown[i];
return result && l1 == l2;
}

22
jetty-util/src/test/java/org/eclipse/jetty/util/security/CredentialTest.java
View File

@ -20,13 +20,13 @@
package org.eclipse.jetty.util.security;
import static org.junit.jupiter.api.Assertions.assertFalse;
import static org.junit.jupiter.api.Assertions.assertTrue;
import org.eclipse.jetty.util.security.Credential.Crypt;
import org.eclipse.jetty.util.security.Credential.MD5;
import org.junit.jupiter.api.Test;
import static org.junit.jupiter.api.Assertions.assertFalse;
import static org.junit.jupiter.api.Assertions.assertTrue;
/**
* CredentialTest
@ -94,4 +94,20 @@ public class CredentialTest
assertFalse(Credential.byteEquals("foo".getBytes(),"fo".getBytes()));
assertFalse(Credential.byteEquals("foo".getBytes(),"bar".getBytes()));
}
@Test
public void testEmptyString()
{
assertFalse(Credential.stringEquals("fooo",""));
assertFalse(Credential.stringEquals("","fooo"));
assertTrue(Credential.stringEquals("",""));
}
@Test
public void testEmptyBytes()
{
assertFalse(Credential.byteEquals("fooo".getBytes(),"".getBytes()));
assertFalse(Credential.byteEquals("".getBytes(),"fooo".getBytes()));
assertTrue(Credential.byteEquals("".getBytes(),"".getBytes()));
}
}