2020import java .security .MessageDigest ;
2121import java .security .SecureRandom ;
2222import java .util .Arrays ;
23+ import java .util .Objects ;
2324import java .util .Random ;
2425import java .util .regex .Matcher ;
2526import java .util .regex .Pattern ;
@@ -238,7 +239,7 @@ public static String md5Crypt(final byte[] keyBytes, final String salt) {
238239 * real salt value without prefix or "rounds=". The salt may be null, in which case a salt
239240 * is generated for you using {@link SecureRandom}.
240241 * @param prefix
241- * salt prefix
242+ * The salt prefix {@value #APR1_PREFIX}, {@value #MD5_PREFIX}.
242243 * @return the hash value
243244 * @throws IllegalArgumentException
244245 * if the salt does not match the allowed pattern
@@ -261,13 +262,13 @@ public static String md5Crypt(final byte[] keyBytes, final String salt, final St
261262 * real salt value without prefix or "rounds=". The salt may be null, in which case a salt
262263 * is generated for you using {@link SecureRandom}.
263264 * @param prefix
264- * salt prefix
265+ * The salt prefix {@value #APR1_PREFIX}, {@value #MD5_PREFIX}.
265266 * @param random
266267 * the instance of {@link Random} to use for generating the salt.
267268 * Consider using {@link SecureRandom} for more secure salts.
268269 * @return the hash value
269270 * @throws IllegalArgumentException
270- * if the salt does not match the allowed pattern
271+ * if the salt or prefix does not match the allowed pattern
271272 * @throws IllegalArgumentException
272273 * when a {@link java.security.NoSuchAlgorithmException} is caught.
273274 * @since 1.12
@@ -280,6 +281,13 @@ public static String md5Crypt(final byte[] keyBytes, final String salt, final St
280281 if (salt == null ) {
281282 saltString = B64 .getRandomSalt (8 , random );
282283 } else {
284+ Objects .requireNonNull (prefix , "prefix" );
285+ if (prefix .length () < 3 ) {
286+ throw new IllegalArgumentException ("Invalid prefix value: " + prefix );
287+ }
288+ if (prefix .charAt (0 ) != '$' && prefix .charAt (prefix .length () - 1 ) != '$' ) {
289+ throw new IllegalArgumentException ("Invalid prefix value: " + prefix );
290+ }
283291 final Pattern p = Pattern .compile ("^" + prefix .replace ("$" , "\\ $" ) + "([\\ .\\ /a-zA-Z0-9]{1,8}).*" );
284292 final Matcher m = p .matcher (salt );
285293 if (!m .find ()) {
0 commit comments