Issue #1556 - A timing channel in Password.java.

Fixed comparison logic, doh.
2017-05-16 16:34:04 +02:00 · 2017-05-16 16:34:04 +02:00 · f3751d7078
parent 042f325f1c
commit f3751d7078
1 changed files with 4 additions and 4 deletions
--- a/jetty-util/src/main/java/org/eclipse/jetty/util/security/Credential.java
+++ b/jetty-util/src/main/java/org/eclipse/jetty/util/security/Credential.java
@ -84,9 +84,9 @@ public abstract class Credential implements Serializable
            return true;
        if (s1 == null || s2 == null || s1.length() != s2.length())
            return false;
-        boolean result = false;
+        boolean result = true;
        for (int i = 0; i < s1.length(); i++)
-            result |= s1.charAt(i) == s2.charAt(i);
+            result &= s1.charAt(i) == s2.charAt(i);
        return result;
    }
@ -103,9 +103,9 @@ public abstract class Credential implements Serializable
            return true;
        if (b1 == null || b2 == null || b1.length != b2.length)
            return false;
-        boolean result = false;
+        boolean result = true;
        for (int i = 0; i < b1.length; i++)
-            result |= b1[i] == b2[i];
+            result &= b1[i] == b2[i];
        return result;
    }