ahdoawhfo/netdisk-fast-download
1
0
Fork 0
mirror of https://github.com/qaiu/netdisk-fast-download.git synced 2026-06-11 07:57:28 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: 修复 PasswordUtil.checkPassword 中的时序攻击漏洞,使用 MessageDigest.isEqual()

Browse Source
This commit is contained in:
yukaidi
2026-05-29 02:39:31 +08:00
parent 46e9999e4c
commit 1dddec110e
1 changed files with 4 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
web-service/src/main/java/cn/qaiu/lz/common/util/PasswordUtil.java
View File

@@ -80,8 +80,10 @@ public class PasswordUtil {
byte[] calculatedHash = md.digest(plainPassword.getBytes(StandardCharsets.UTF_8)); byte[] calculatedHash = md.digest(plainPassword.getBytes(StandardCharsets.UTF_8));
String calculatedHashBase64 = Base64.getEncoder().encodeToString(calculatedHash); String calculatedHashBase64 = Base64.getEncoder().encodeToString(calculatedHash);
// 比较计算出的哈希值和存储的哈希值 // 比较计算出的哈希值和存储的哈希值(使用常量时间比较防止时序攻击)
return hashBase64.equals(calculatedHashBase64); return MessageDigest.isEqual(
hashBase64.getBytes(StandardCharsets.UTF_8),
calculatedHashBase64.getBytes(StandardCharsets.UTF_8));
} catch (Exception e) { } catch (Exception e) {
// 如果发生异常例如格式不正确返回false // 如果发生异常例如格式不正确返回false
return false; return false;