From 1dddec110ed24fde860cf62a69043659670e422f Mon Sep 17 00:00:00 2001
From: yukaidi <yukaidi@duck.com>
Date: Fri, 29 May 2026 02:39:31 +0800
Subject: [PATCH] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8D=20PasswordUtil.checkP?=
 =?UTF-8?q?assword=20=E4=B8=AD=E7=9A=84=E6=97=B6=E5=BA=8F=E6=94=BB?=
 =?UTF-8?q?=E5=87=BB=E6=BC=8F=E6=B4=9E=EF=BC=8C=E4=BD=BF=E7=94=A8=20Messag?=
 =?UTF-8?q?eDigest.isEqual()?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../src/main/java/cn/qaiu/lz/common/util/PasswordUtil.java  | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/web-service/src/main/java/cn/qaiu/lz/common/util/PasswordUtil.java b/web-service/src/main/java/cn/qaiu/lz/common/util/PasswordUtil.java
index 6d2ae24..62c466f 100644
--- a/web-service/src/main/java/cn/qaiu/lz/common/util/PasswordUtil.java
+++ b/web-service/src/main/java/cn/qaiu/lz/common/util/PasswordUtil.java
@@ -80,8 +80,10 @@ public class PasswordUtil {
             byte[] calculatedHash = md.digest(plainPassword.getBytes(StandardCharsets.UTF_8));
             String calculatedHashBase64 = Base64.getEncoder().encodeToString(calculatedHash);
 
-            // 比较计算出的哈希值和存储的哈希值
-            return hashBase64.equals(calculatedHashBase64);
+            // 比较计算出的哈希值和存储的哈希值（使用常量时间比较防止时序攻击）
+            return MessageDigest.isEqual(
+                    hashBase64.getBytes(StandardCharsets.UTF_8),
+                    calculatedHashBase64.getBytes(StandardCharsets.UTF_8));
         } catch (Exception e) {
             // 如果发生异常（例如格式不正确），返回false
             return false;