[jira] [Updated] (LANG-1750) Using RandomStringUtils.insecure() still leads to using the secure() random

Marco Hoek (Jira) Tue, 13 Aug 2024 15:53:06 -0700


     [ 
https://issues.apache.org/jira/browse/LANG-1750?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Marco Hoek updated LANG-1750:
-----------------------------
    Component/s: lang.*
                     (was: lang.text.*)

> Using RandomStringUtils.insecure() still leads to using the secure() random
> ---------------------------------------------------------------------------
>
>                 Key: LANG-1750
>                 URL: https://issues.apache.org/jira/browse/LANG-1750
>             Project: Commons Lang
>          Issue Type: Bug
>          Components: lang.*
>    Affects Versions: 3.16.0
>            Reporter: Marco Hoek
>            Priority: Major
>
> In RandomStringUtils v3.16, the use of secure() vs insecure() is used to be 
> able to choose which random generator to use. However, consider the following 
> code path:
>  
> a) RandomStringUtils.insecure().nextAlphanumeric(length)
> leads to the instance method 'nextAlphanumeric, which in turn calls:
> b) static method RandomStringUtils.random(count, true, true)
> which in turn calls
> c) static method RandomStringUtils.secure().next(count, letters, numbers)
>  
> Conclusion: where I want to use the "insecure" option path, I end up having 
> the call forwarded to the "secure" random provider anyway. Where I then run 
> into the problem of having too low entropy and experiencing terrible 
> performance.... (see LANG-1748)



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Updated] (LANG-1750) Using RandomStringUtils.insecure() still leads to using the secure() random

Reply via email to