Skip to content

Commit ad28b0f

Browse files
committed
Md5Crypt now throws IllegalArgumentException on an invalid prefix
1 parent cd16988 commit ad28b0f

3 files changed

Lines changed: 22 additions & 3 deletions

File tree

src/changes/changes.xml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -45,6 +45,7 @@ The <action> type attribute can be add,update,fix,remove.
4545
<body>
4646
<release version="1.17.1" date="YYYY-MM-DD" description="Feature and fix release. Requires a minimum of Java 8.">
4747
<!-- FIX -->
48+
<action type="fix" dev="ggregory" due-to="Gary Gregory">Md5Crypt now throws IllegalArgumentException on an invalid prefix.</action>
4849
<!-- ADD -->
4950
<!-- UPDATE -->
5051
</release>

src/main/java/org/apache/commons/codec/digest/Md5Crypt.java

Lines changed: 11 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,7 @@
2020
import java.security.MessageDigest;
2121
import java.security.SecureRandom;
2222
import java.util.Arrays;
23+
import java.util.Objects;
2324
import java.util.Random;
2425
import java.util.regex.Matcher;
2526
import java.util.regex.Pattern;
@@ -238,7 +239,7 @@ public static String md5Crypt(final byte[] keyBytes, final String salt) {
238239
* real salt value without prefix or "rounds=". The salt may be null, in which case a salt
239240
* is generated for you using {@link SecureRandom}.
240241
* @param prefix
241-
* salt prefix
242+
* The salt prefix {@value #APR1_PREFIX}, {@value #MD5_PREFIX}.
242243
* @return the hash value
243244
* @throws IllegalArgumentException
244245
* if the salt does not match the allowed pattern
@@ -261,13 +262,13 @@ public static String md5Crypt(final byte[] keyBytes, final String salt, final St
261262
* real salt value without prefix or "rounds=". The salt may be null, in which case a salt
262263
* is generated for you using {@link SecureRandom}.
263264
* @param prefix
264-
* salt prefix
265+
* The salt prefix {@value #APR1_PREFIX}, {@value #MD5_PREFIX}.
265266
* @param random
266267
* the instance of {@link Random} to use for generating the salt.
267268
* Consider using {@link SecureRandom} for more secure salts.
268269
* @return the hash value
269270
* @throws IllegalArgumentException
270-
* if the salt does not match the allowed pattern
271+
* if the salt or prefix does not match the allowed pattern
271272
* @throws IllegalArgumentException
272273
* when a {@link java.security.NoSuchAlgorithmException} is caught.
273274
* @since 1.12
@@ -280,6 +281,13 @@ public static String md5Crypt(final byte[] keyBytes, final String salt, final St
280281
if (salt == null) {
281282
saltString = B64.getRandomSalt(8, random);
282283
} else {
284+
Objects.requireNonNull(prefix, "prefix");
285+
if (prefix.length() < 3) {
286+
throw new IllegalArgumentException("Invalid prefix value: " + prefix);
287+
}
288+
if (prefix.charAt(0) != '$' && prefix.charAt(prefix.length() - 1) != '$') {
289+
throw new IllegalArgumentException("Invalid prefix value: " + prefix);
290+
}
283291
final Pattern p = Pattern.compile("^" + prefix.replace("$", "\\$") + "([\\.\\/a-zA-Z0-9]{1,8}).*");
284292
final Matcher m = p.matcher(salt);
285293
if (!m.find()) {

src/test/java/org/apache/commons/codec/digest/Md5CryptTest.java

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -35,6 +35,16 @@ public void testCtor() {
3535
assertNotNull(new Md5Crypt()); // for code-coverage
3636
}
3737

38+
@Test
39+
public void testInvalidPrefix() {
40+
assertThrows(IllegalArgumentException.class, () -> Md5Crypt.md5Crypt(new byte[] { 1, 2, 3, 4, 5 },
41+
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa!", "(.*a){10000}"));
42+
assertThrows(IllegalArgumentException.class, () -> Md5Crypt.md5Crypt(new byte[] { 1, 2, 3, 4, 5 },
43+
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa!", "$(.*a){10000}$"));
44+
assertThrows(IllegalArgumentException.class, () -> Md5Crypt.md5Crypt(new byte[] { 1, 2, 3, 4, 5 },
45+
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", "$(.*a){10000}$"));
46+
}
47+
3848
@Test
3949
public void testMd5CryptBytes() {
4050
// An empty Bytearray equals an empty String

0 commit comments

Comments
 (0)