[ http://mc4j.org/jira/browse/STS-459?page=all ]
Ben Gunter resolved STS-459.
----------------------------
Resolution: Fixed
A magic number is prefixed to the result before encryption and checked for upon
decryption. In testing this, I also found that most of the time when a bogus
value is fed in to decrypt it results in a BadPaddingException so I added a
try/catch to catch that and IllegalBlockSizeException. Those cases plus the
case of a bogus input that happens to decrypt properly are logged as a warning
and null is returned.
> CryptoUtil should validate its input
> ------------------------------------
>
> Key: STS-459
> URL: http://mc4j.org/jira/browse/STS-459
> Project: Stripes
> Issue Type: Bug
> Reporter: Ben Gunter
> Assigned To: Ben Gunter
> Fix For: Release 1.5
>
>
> It appears that CryptoUtil will gladly accept any Base64-encoded value,
> decode it, decrypt with a Cipher and return the bytes as a String. This
> allows Stripes to end up using garbage input, which might cause trouble. When
> decrypting, CryptoUtil should take measures to ensure it is dealing with
> values that were encrypted with the same session key.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://mc4j.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
-------------------------------------------------------------------------
SF.Net email is sponsored by:
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services
for just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
_______________________________________________
Stripes-development mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/stripes-development
