From e62596f36ddb31703eb0184216c3da8a6cf8cf11 Mon Sep 17 00:00:00 2001
From: Rob Winch <rwinch@gopivotal.com>
Date: Mon, 24 Oct 2016 12:50:11 -0500
Subject: [PATCH] Polish PasswordEncoderUtils do not leak length

Fix possible / 0 if expected is empty String.

Issue gh-255
---
 .../authentication/encoding/PasswordEncoderUtils.java       | 2 +-
 .../authentication/encoding/PasswordEncoderUtilsTests.java  | 6 ++++++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/core/src/main/java/org/springframework/security/authentication/encoding/PasswordEncoderUtils.java b/core/src/main/java/org/springframework/security/authentication/encoding/PasswordEncoderUtils.java
index 13a14e3139..fd1f86192f 100644
--- a/core/src/main/java/org/springframework/security/authentication/encoding/PasswordEncoderUtils.java
+++ b/core/src/main/java/org/springframework/security/authentication/encoding/PasswordEncoderUtils.java
@@ -38,7 +38,7 @@ class PasswordEncoderUtils {
 
 		int result = expectedLength == actualLength ? 0 : 1;
 		for (int i = 0; i < actualLength; i++) {
-			byte expectedByte = expectedBytes == null ? 0 : expectedBytes[i % expectedLength];
+			byte expectedByte = expectedLength <= 0 ? 0 : expectedBytes[i % expectedLength];
 			byte actualByte = actualBytes[i % actualLength];
 			result |= expectedByte ^ actualByte;
 		}
diff --git a/core/src/test/java/org/springframework/security/authentication/encoding/PasswordEncoderUtilsTests.java b/core/src/test/java/org/springframework/security/authentication/encoding/PasswordEncoderUtilsTests.java
index 7aa900068f..f8f4487414 100644
--- a/core/src/test/java/org/springframework/security/authentication/encoding/PasswordEncoderUtilsTests.java
+++ b/core/src/test/java/org/springframework/security/authentication/encoding/PasswordEncoderUtilsTests.java
@@ -47,6 +47,12 @@ public class PasswordEncoderUtilsTests {
 		assertThat(PasswordEncoderUtils.equals("", null)).isFalse();
 	}
 
+	@Test
+	public void equalsWhenNotEmptyAndEmptyThenFalse() {
+		assertThat(PasswordEncoderUtils.equals("abc", "")).isFalse();
+		assertThat(PasswordEncoderUtils.equals("", "abc")).isFalse();
+	}
+
 	@Test
 	public void equalsWhenEmtpyAndEmptyThenTrue() {
 		assertThat(PasswordEncoderUtils.equals("", "")).isTrue();