You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@shiro.apache.org by co...@apache.org on 2019/11/20 10:12:32 UTC

[shiro] branch master updated: Replaced string equals with internal method that does not leak time

This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/shiro.git


The following commit(s) were added to refs/heads/master by this push:
     new d7214d8  Replaced string equals with internal method that does not leak time
     new 4c2027a  Merge pull request #65 from ddold/shiro-458
d7214d8 is described below

commit d7214d8b9cee3e0386ddbcd7f2afeb8112057af2
Author: Dan Dold <do...@gmail.com>
AuthorDate: Tue May 30 08:39:13 2017 +0100

    Replaced string equals with internal method that does not leak time
---
 .../authc/credential/DefaultPasswordService.java    | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/core/src/main/java/org/apache/shiro/authc/credential/DefaultPasswordService.java b/core/src/main/java/org/apache/shiro/authc/credential/DefaultPasswordService.java
index d45858e..26000e6 100644
--- a/core/src/main/java/org/apache/shiro/authc/credential/DefaultPasswordService.java
+++ b/core/src/main/java/org/apache/shiro/authc/credential/DefaultPasswordService.java
@@ -94,7 +94,26 @@ public class DefaultPasswordService implements HashingPasswordService {
 
         Hash computed = this.hashService.computeHash(request);
 
-        return saved.equals(computed);
+        return constantEquals(saved.toString(), computed.toString());
+    }
+
+    private boolean constantEquals(String savedHash, String computedHash) {
+
+        int result = 0;
+        boolean equals;
+        byte [] savedHashByteArray = savedHash.getBytes();
+        byte [] computedHashByteArray = computedHash.getBytes();
+
+        if(savedHashByteArray.length != computedHashByteArray.length){
+            return false;
+        } else {
+            for(int index = 0; index < savedHashByteArray.length; index++){
+                result |= savedHashByteArray[index] ^ computedHashByteArray[index];
+            }
+            equals = (result == 0);
+        }
+
+        return equals;
     }
 
     protected void checkHashFormatDurability() {