SEC-1764: Ensure password encoders use UTF-8 charset when creating strings from byte arrays.

15 years ago · 2b8d4684a1
3 changed files with 6 additions and 3 deletions
--- a/core/src/main/java/org/springframework/security/authentication/encoding/LdapShaPasswordEncoder.java
+++ b/core/src/main/java/org/springframework/security/authentication/encoding/LdapShaPasswordEncoder.java
@ -20,6 +20,7 @@ import java.io.UnsupportedEncodingException;
				@@ -20,6 +20,7 @@ import java.io.UnsupportedEncodingException;
 import java.security.MessageDigest;

 import org.springframework.security.crypto.codec.Base64;
+import org.springframework.security.crypto.codec.Utf8;
 import org.springframework.util.Assert;


@ -101,7 +102,7 @@ public class LdapShaPasswordEncoder implements PasswordEncoder {
				@@ -101,7 +102,7 @@ public class LdapShaPasswordEncoder implements PasswordEncoder {
            prefix = forceLowerCasePrefix ? SSHA_PREFIX_LC : SSHA_PREFIX;
        }

-        return prefix + new String(Base64.encode(hash));
+        return prefix + Utf8.decode(Base64.encode(hash));
    }

    private byte[] extractSalt(String encPass) {
--- a/core/src/main/java/org/springframework/security/authentication/encoding/Md4PasswordEncoder.java
+++ b/core/src/main/java/org/springframework/security/authentication/encoding/Md4PasswordEncoder.java
@ -18,6 +18,7 @@ import java.io.UnsupportedEncodingException;
				@@ -18,6 +18,7 @@ import java.io.UnsupportedEncodingException;

 import org.springframework.security.crypto.codec.Base64;
 import org.springframework.security.crypto.codec.Hex;
+import org.springframework.security.crypto.codec.Utf8;

 /**
 * MD4 implementation of PasswordEncoder.
@ -60,7 +61,7 @@ public class Md4PasswordEncoder extends BaseDigestPasswordEncoder {
				@@ -60,7 +61,7 @@ public class Md4PasswordEncoder extends BaseDigestPasswordEncoder {
        byte[] resBuf = md4.digest();

        if (getEncodeHashAsBase64()) {
-            return new String(Base64.encode(resBuf));
+            return Utf8.decode(Base64.encode(resBuf));
        } else {
            return new String(Hex.encode(resBuf));
        }
--- a/core/src/main/java/org/springframework/security/authentication/encoding/MessageDigestPasswordEncoder.java
+++ b/core/src/main/java/org/springframework/security/authentication/encoding/MessageDigestPasswordEncoder.java
@ -6,6 +6,7 @@ import java.security.NoSuchAlgorithmException;
				@@ -6,6 +6,7 @@ import java.security.NoSuchAlgorithmException;

 import org.springframework.security.crypto.codec.Base64;
 import org.springframework.security.crypto.codec.Hex;
+import org.springframework.security.crypto.codec.Utf8;
 import org.springframework.util.Assert;

 /**
@ -92,7 +93,7 @@ public class MessageDigestPasswordEncoder extends BaseDigestPasswordEncoder {
				@@ -92,7 +93,7 @@ public class MessageDigestPasswordEncoder extends BaseDigestPasswordEncoder {
        }

        if (getEncodeHashAsBase64()) {
-            return new String(Base64.encode(digest));
+            return Utf8.decode(Base64.encode(digest));
        } else {
            return new String(Hex.encode(digest));
        }