GitHub-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Polish PasswordEncoderUtils do not leak length 

Fix possible / 0 if expected is empty String.

Issue gh-255
pull/4107/head
Rob Winch 9 years ago
parent
d3685d89c5
commit
e62596f36d
2 changed files with 7 additions and 1 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 2
      core/src/main/java/org/springframework/security/authentication/encoding/PasswordEncoderUtils.java
  2. 6
      core/src/test/java/org/springframework/security/authentication/encoding/PasswordEncoderUtilsTests.java

2
core/src/main/java/org/springframework/security/authentication/encoding/PasswordEncoderUtils.java
Unescape View File

@ -38,7 +38,7 @@ class PasswordEncoderUtils { @@ -38,7 +38,7 @@ class PasswordEncoderUtils {
int result = expectedLength == actualLength ? 0 : 1;
for (int i = 0; i < actualLength; i++) {
byte expectedByte = expectedBytes == null ? 0 : expectedBytes[i % expectedLength];
byte expectedByte = expectedLength <= 0 ? 0 : expectedBytes[i % expectedLength];
byte actualByte = actualBytes[i % actualLength];
result |= expectedByte ^ actualByte;
}

6
core/src/test/java/org/springframework/security/authentication/encoding/PasswordEncoderUtilsTests.java
Unescape View File

@ -47,6 +47,12 @@ public class PasswordEncoderUtilsTests { @@ -47,6 +47,12 @@ public class PasswordEncoderUtilsTests {
assertThat(PasswordEncoderUtils.equals("", null)).isFalse();
}
@Test
public void equalsWhenNotEmptyAndEmptyThenFalse() {
assertThat(PasswordEncoderUtils.equals("abc", "")).isFalse();
assertThat(PasswordEncoderUtils.equals("", "abc")).isFalse();
}
@Test
public void equalsWhenEmtpyAndEmptyThenTrue() {
assertThat(PasswordEncoderUtils.equals("", "")).isTrue();

Write Preview
Loading…
Cancel
Save