Author: stillalex Date: Wed Jun 6 11:20:14 2018 New Revision: 1833010 URL: http://svn.apache.org/viewvc?rev=1833010&view=rev Log: OAK-7506 Prevent user enumeration by exploiting time delay vulnerability
Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserAuthentication.java Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserAuthentication.java URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserAuthentication.java?rev=1833010&r1=1833009&r2=1833010&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserAuthentication.java (original) +++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserAuthentication.java Wed Jun 6 11:20:14 2018 @@ -16,6 +16,8 @@ */ package org.apache.jackrabbit.oak.security.user; +import java.io.UnsupportedEncodingException; +import java.security.NoSuchAlgorithmException; import java.security.Principal; import java.util.Collections; import java.util.concurrent.TimeUnit; @@ -103,6 +105,13 @@ class UserAuthentication implements Auth UserManager userManager = config.getUserManager(root, NamePathMapper.DEFAULT); Authorizable authorizable = userManager.getAuthorizable(loginId); if (authorizable == null) { + // best effort prevent user enumeration timing attacks + try { + String hash = PasswordUtil.buildPasswordHash("oak"); + PasswordUtil.isSame(hash, "oak"); + } catch (NoSuchAlgorithmException | UnsupportedEncodingException e) { + // ignore + } return false; }