You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@mina.apache.org by "Emmanuel Lécharny (Jira)" <ji...@apache.org> on 2022/03/13 23:57:00 UTC
[jira] [Updated] (FTPSERVER-486) Timing Side Channel StringUtils
[ https://issues.apache.org/jira/browse/FTPSERVER-486?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Emmanuel Lécharny updated FTPSERVER-486:
----------------------------------------
Fix Version/s: 1.1.5
(was: 1.1.2)
> Timing Side Channel StringUtils
> -------------------------------
>
> Key: FTPSERVER-486
> URL: https://issues.apache.org/jira/browse/FTPSERVER-486
> Project: FtpServer
> Issue Type: Bug
> Components: Core
> Affects Versions: 1.1.1
> Environment: test on macOS High Sierra 10.13.4, but not relevant
> Reporter: Yannic Noller
> Assignee: Emmanuel Lécharny
> Priority: Major
> Labels: easyfix, pull-request-available
> Fix For: 1.1.5
>
> Original Estimate: 24h
> Remaining Estimate: 24h
>
> Dear Apache FTPServer developers,
> We have found a timing side-channel in class org.apache.ftpserver.util.StringUtils, method "public final static String pad(String src, char padChar, boolean rightPad, int totalLength)". This method leaks the necessary padding in a timing side channel, from which a potential attacker could obtain the length of the src String. In your project this method is used to add padding to a username, hence, a potential attacker could obtain the length of a given username, which might be used for further attacks.
> Do you agree with our findings?
> We found this class in the latest version of your git repo: https://git-wip-us.apache.org/repos/asf?p=mina-ftpserver.git;a=summary
> As a secure fix we would recommend to use a variant of the equals method, which does iterate the complete strings in the case of the same string lengths, independent from whether they do match or not:
> public final static String pad_safe(String src, char padChar, boolean rightPad, int totalLength) {
> int srcLength = src.length();
> if (srcLength >= totalLength) {
> return src;
> }
> int padLength = totalLength - srcLength;
> StringBuilder sb = new StringBuilder(padLength);
> for (int i = 0; i < totalLength; ++i) {
> if (i < padLength) {
> sb.append(padChar);
> } else {
> sb.append("");
> }
> }
> if (rightPad) {
> return src + sb.toString();
> } else {
> return sb.toString() + src;
> }
> }
> Do you agree with our patch proposal?
> Please feel free to contact us for further clarification! You can reach us by the following email address:
> yannic.noller@informatik.hu-berlin.de
> Best regards,
> Yannic Noller
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@mina.apache.org
For additional commands, e-mail: dev-help@mina.apache.org