You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@commons.apache.org by se...@apache.org on 2017/03/26 21:43:36 UTC

svn commit: r1788777 - in /commons/proper/codec/trunk/src: changes/changes.xml main/java/org/apache/commons/codec/binary/StringUtils.java test/java/org/apache/commons/codec/binary/StringUtilsTest.java

Author: sebb
Date: Sun Mar 26 21:43:36 2017
New Revision: 1788777

URL: http://svn.apache.org/viewvc?rev=1788777&view=rev
Log:
CODEC-231 StringUtils.equals(CharSequence cs1, CharSequence cs2) can fail with String Index OBE

Modified:
    commons/proper/codec/trunk/src/changes/changes.xml
    commons/proper/codec/trunk/src/main/java/org/apache/commons/codec/binary/StringUtils.java
    commons/proper/codec/trunk/src/test/java/org/apache/commons/codec/binary/StringUtilsTest.java

Modified: commons/proper/codec/trunk/src/changes/changes.xml
URL: http://svn.apache.org/viewvc/commons/proper/codec/trunk/src/changes/changes.xml?rev=1788777&r1=1788776&r2=1788777&view=diff
==============================================================================
--- commons/proper/codec/trunk/src/changes/changes.xml (original)
+++ commons/proper/codec/trunk/src/changes/changes.xml Sun Mar 26 21:43:36 2017
@@ -45,6 +45,7 @@ The <action> type attribute can be add,u
     <release version="1.11" date="2017-MM-DD" description="Feature and fix release.">
       <!-- The first attribute below should be the issue id; makes it easier to navigate in the IDE outline -->
 
+      <action issue="CODEC-231" dev="sebb" type="fix">StringUtils.equals(CharSequence cs1, CharSequence cs2) can fail with String Index OBE</action>
       <action issue="CODEC-230" dev="sebb" type="fix">URLCodec.WWW_FORM_URL should be private</action>
       <action issue="CODEC-229" dev="sebb" type="fix">StringUtils.newStringxxx(null) should return null, not NPE</action>
       <action issue="CODEC-220" dev="sebb" type="add">Fluent interface for DigestUtils</action>

Modified: commons/proper/codec/trunk/src/main/java/org/apache/commons/codec/binary/StringUtils.java
URL: http://svn.apache.org/viewvc/commons/proper/codec/trunk/src/main/java/org/apache/commons/codec/binary/StringUtils.java?rev=1788777&r1=1788776&r2=1788777&view=diff
==============================================================================
--- commons/proper/codec/trunk/src/main/java/org/apache/commons/codec/binary/StringUtils.java (original)
+++ commons/proper/codec/trunk/src/main/java/org/apache/commons/codec/binary/StringUtils.java Sun Mar 26 21:43:36 2017
@@ -78,7 +78,7 @@ public class StringUtils {
         if (cs1 instanceof String && cs2 instanceof String) {
             return cs1.equals(cs2);
         }
-        return CharSequenceUtils.regionMatches(cs1, false, 0, cs2, 0, Math.max(cs1.length(), cs2.length()));
+        return cs1.length() == cs2.length() && CharSequenceUtils.regionMatches(cs1, false, 0, cs2, 0, cs1.length());
     }
 
     /**

Modified: commons/proper/codec/trunk/src/test/java/org/apache/commons/codec/binary/StringUtilsTest.java
URL: http://svn.apache.org/viewvc/commons/proper/codec/trunk/src/test/java/org/apache/commons/codec/binary/StringUtilsTest.java?rev=1788777&r1=1788776&r2=1788777&view=diff
==============================================================================
--- commons/proper/codec/trunk/src/test/java/org/apache/commons/codec/binary/StringUtilsTest.java (original)
+++ commons/proper/codec/trunk/src/test/java/org/apache/commons/codec/binary/StringUtilsTest.java Sun Mar 26 21:43:36 2017
@@ -208,4 +208,33 @@ public class StringUtilsTest {
         final String actual = StringUtils.newStringUtf8(BYTES_FIXTURE);
         Assert.assertEquals(expected, actual);
     }
+
+    @Test
+    public void testEqualsString() {
+        Assert.assertTrue(StringUtils.equals(null, null));
+        Assert.assertFalse(StringUtils.equals("abc", null));
+        Assert.assertFalse(StringUtils.equals(null, "abc"));
+        Assert.assertTrue(StringUtils.equals("abc", "abc"));
+        Assert.assertFalse(StringUtils.equals("abc", "abcd"));
+        Assert.assertFalse(StringUtils.equals("abcd", "abc"));
+        Assert.assertFalse(StringUtils.equals("abc", "ABC"));
+    }
+
+    @Test
+    public void testEqualsCS1() {
+        Assert.assertFalse(StringUtils.equals(new StringBuilder("abc"), null));
+        Assert.assertFalse(StringUtils.equals(null, new StringBuilder("abc")));
+        Assert.assertTrue(StringUtils.equals(new StringBuilder("abc"), new StringBuilder("abc")));
+        Assert.assertFalse(StringUtils.equals(new StringBuilder("abc"), new StringBuilder("abcd")));
+        Assert.assertFalse(StringUtils.equals(new StringBuilder("abcd"), new StringBuilder("abc")));
+        Assert.assertFalse(StringUtils.equals(new StringBuilder("abc"), new StringBuilder("ABC")));
+    }
+
+    @Test
+    public void testEqualsCS2() {
+        Assert.assertTrue(StringUtils.equals("abc", new StringBuilder("abc")));
+        Assert.assertFalse(StringUtils.equals(new StringBuilder("abc"), "abcd"));
+        Assert.assertFalse(StringUtils.equals("abcd", new StringBuilder("abc")));
+        Assert.assertFalse(StringUtils.equals(new StringBuilder("abc"), "ABC"));
+    }
 }