Yannic Noller created FTPSERVER-486:
---------------------------------------
Summary: Timing Side Channel StringUtils
Key: FTPSERVER-486
URL: https://issues.apache.org/jira/browse/FTPSERVER-486
Project: FtpServer
Issue Type: Bug
Components: Core
Affects Versions: 1.1.1
Environment: test on macOS High Sierra 10.13.4, but not relevant
Reporter: Yannic Noller
Fix For: 1.1.2
Dear Apache FTPServer developers,
We have found a timing side-channel in class
org.apache.ftpserver.util.StringUtils, method "public final static String
pad(String src, char padChar, boolean rightPad, int totalLength)". This method
leaks the necessary padding in a timing side channel, from which a potential
attacker could obtain the length of the src String. In your project this method
is used to add padding to a username, hence, a potential attacker could obtain
the length of a given username, which might be used for further attacks.
Do you agree with our findings?
We found this class in the latest version of your git repo:
https://git-wip-us.apache.org/repos/asf?p=mina-ftpserver.git;a=summary
As a secure fix we would recommend to use a variant of the equals method, which
does iterate the complete strings in the case of the same string lengths,
independent from whether they do match or not:
public final static String pad_safe(String src, char padChar, boolean
rightPad, int totalLength) {
int srcLength = src.length();
if (srcLength >= totalLength) {
return src;
}
int padLength = totalLength - srcLength;
StringBuilder sb = new StringBuilder(padLength);
for (int i = 0; i < totalLength; ++i) {
if (i < padLength) {
sb.append(padChar);
} else {
sb.append("");
}
}
if (rightPad) {
return src + sb.toString();
} else {
return sb.toString() + src;
}
}
Do you agree with our patch proposal?
Please feel free to contact us for further clarification! You can reach us by
the following email address:
[email protected]
Best regards,
Yannic Noller
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
