You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@commons.apache.org by "Sebb (JIRA)" <ji...@apache.org> on 2012/06/10 15:33:43 UTC
[jira] [Updated] (LANG-806) RandomStringUtils can enter infinite
loop if chosen char does not meet letter/digit requirements
[ https://issues.apache.org/jira/browse/LANG-806?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sebb updated LANG-806:
----------------------
Description:
An infinite loop can result if the selection process never returns a char that passes the validation test.
This can occur if the subset specified by the start and end characters does not contain any valid characters.
For example:
RandomStringUtils.random(3, 5, 10, true, true); // 1
RandomStringUtils.random(3, 56192, 56319, false, false); // 2
There's also the case where only surrogates are allowed, but the buffer is not an even number of characters, for example:
RandomStringUtils.random(3, 56320, 57343, false, false); // 3
The second example is easy to detect, but in general it does not seem easy to determine in advance if the subset contains any valid characters - except by evaluating all the possible char values. This would be expensive if the subset range is large.
One possibility is to count the total number of loops (or retries), and throw an error if it exceeds a given value. Or count the number of consecutive retries.
In both cases the threshold value must be set high enough to allow for the cases where the allowable char range contains only a small proportion of valid characters.
In the case of digits only, the default allowable range is currently set to digits + letters, so the proportion of valid chars is 10/90 i.e. approx 11%.
A minimum proportion of 1% or 0.1% would be necessary to reduce the number of false positives.
was:
If numbers == true or digits == true, then an infinite loop can result if the selection process never returns a char that passes the validation test.
This can occur with
RandomStringUtils.random(1, -1, 1, true, true)
because the gap is 2, i.e. random.nextInt(gap) + start == 0
This is trivial to fix; the code should check that start >=0 and end > start (unless start==end==0).
It can also occur if the provided char array or array subset does not contain any valid chars.
> RandomStringUtils can enter infinite loop if chosen char does not meet letter/digit requirements
> ------------------------------------------------------------------------------------------------
>
> Key: LANG-806
> URL: https://issues.apache.org/jira/browse/LANG-806
> Project: Commons Lang
> Issue Type: Bug
> Affects Versions: 2.6, 3.1
> Reporter: Sebb
> Assignee: Sebb
>
> An infinite loop can result if the selection process never returns a char that passes the validation test.
> This can occur if the subset specified by the start and end characters does not contain any valid characters.
> For example:
> RandomStringUtils.random(3, 5, 10, true, true); // 1
> RandomStringUtils.random(3, 56192, 56319, false, false); // 2
> There's also the case where only surrogates are allowed, but the buffer is not an even number of characters, for example:
> RandomStringUtils.random(3, 56320, 57343, false, false); // 3
> The second example is easy to detect, but in general it does not seem easy to determine in advance if the subset contains any valid characters - except by evaluating all the possible char values. This would be expensive if the subset range is large.
> One possibility is to count the total number of loops (or retries), and throw an error if it exceeds a given value. Or count the number of consecutive retries.
> In both cases the threshold value must be set high enough to allow for the cases where the allowable char range contains only a small proportion of valid characters.
> In the case of digits only, the default allowable range is currently set to digits + letters, so the proportion of valid chars is 10/90 i.e. approx 11%.
> A minimum proportion of 1% or 0.1% would be necessary to reduce the number of false positives.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira