From 2b8d4684a1cd2f95ac2b7ca8eeda129cf33b251c Mon Sep 17 00:00:00 2001 From: Luke Taylor Date: Tue, 14 Jun 2011 17:42:59 +0100 Subject: [PATCH] SEC-1764: Ensure password encoders use UTF-8 charset when creating strings from byte arrays. --- .../authentication/encoding/LdapShaPasswordEncoder.java | 3 ++- .../security/authentication/encoding/Md4PasswordEncoder.java | 3 ++- .../authentication/encoding/MessageDigestPasswordEncoder.java | 3 ++- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/core/src/main/java/org/springframework/security/authentication/encoding/LdapShaPasswordEncoder.java b/core/src/main/java/org/springframework/security/authentication/encoding/LdapShaPasswordEncoder.java index 85553d56c8..fce56502f4 100644 --- a/core/src/main/java/org/springframework/security/authentication/encoding/LdapShaPasswordEncoder.java +++ b/core/src/main/java/org/springframework/security/authentication/encoding/LdapShaPasswordEncoder.java @@ -20,6 +20,7 @@ import java.io.UnsupportedEncodingException; import java.security.MessageDigest; import org.springframework.security.crypto.codec.Base64; +import org.springframework.security.crypto.codec.Utf8; import org.springframework.util.Assert; @@ -101,7 +102,7 @@ public class LdapShaPasswordEncoder implements PasswordEncoder { prefix = forceLowerCasePrefix ? SSHA_PREFIX_LC : SSHA_PREFIX; } - return prefix + new String(Base64.encode(hash)); + return prefix + Utf8.decode(Base64.encode(hash)); } private byte[] extractSalt(String encPass) { diff --git a/core/src/main/java/org/springframework/security/authentication/encoding/Md4PasswordEncoder.java b/core/src/main/java/org/springframework/security/authentication/encoding/Md4PasswordEncoder.java index e7479b8cd9..e559ee2071 100644 --- a/core/src/main/java/org/springframework/security/authentication/encoding/Md4PasswordEncoder.java +++ b/core/src/main/java/org/springframework/security/authentication/encoding/Md4PasswordEncoder.java @@ -18,6 +18,7 @@ import java.io.UnsupportedEncodingException; import org.springframework.security.crypto.codec.Base64; import org.springframework.security.crypto.codec.Hex; +import org.springframework.security.crypto.codec.Utf8; /** * MD4 implementation of PasswordEncoder. @@ -60,7 +61,7 @@ public class Md4PasswordEncoder extends BaseDigestPasswordEncoder { byte[] resBuf = md4.digest(); if (getEncodeHashAsBase64()) { - return new String(Base64.encode(resBuf)); + return Utf8.decode(Base64.encode(resBuf)); } else { return new String(Hex.encode(resBuf)); } diff --git a/core/src/main/java/org/springframework/security/authentication/encoding/MessageDigestPasswordEncoder.java b/core/src/main/java/org/springframework/security/authentication/encoding/MessageDigestPasswordEncoder.java index 9ecd7a7dc8..af17e25a58 100644 --- a/core/src/main/java/org/springframework/security/authentication/encoding/MessageDigestPasswordEncoder.java +++ b/core/src/main/java/org/springframework/security/authentication/encoding/MessageDigestPasswordEncoder.java @@ -6,6 +6,7 @@ import java.security.NoSuchAlgorithmException; import org.springframework.security.crypto.codec.Base64; import org.springframework.security.crypto.codec.Hex; +import org.springframework.security.crypto.codec.Utf8; import org.springframework.util.Assert; /** @@ -92,7 +93,7 @@ public class MessageDigestPasswordEncoder extends BaseDigestPasswordEncoder { } if (getEncodeHashAsBase64()) { - return new String(Base64.encode(digest)); + return Utf8.decode(Base64.encode(digest)); } else { return new String(Hex.encode(digest)); }