Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
1.2.4, 2.0.0-alpha
-
Patch
Description
While looking through shiro code I noticed that there are three places which compare byte[]s representing hashes using `Arrays#equals()`
To avoid potential timing attacks these should be using `MessageDigest#isEqual()`, which at least starting with Java 6u17 uses a constant-time comparison.
I'm not sure which Java version shiro targets, but it might make sense to either require Java 7, or to at least strongly suggest this in the documentation.
Attached a patch against trunk, but please also consider fixing this in the 1.2 branch.