mina-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Emmanuel Lecharny (JIRA)" <j...@apache.org>
Subject [jira] [Assigned] (FTPSERVER-486) Timing Side Channel StringUtils
Date Tue, 17 Apr 2018 13:27:00 GMT

     [ https://issues.apache.org/jira/browse/FTPSERVER-486?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Emmanuel Lecharny reassigned FTPSERVER-486:
-------------------------------------------

    Assignee: Emmanuel Lecharny

> Timing Side Channel StringUtils
> -------------------------------
>
>                 Key: FTPSERVER-486
>                 URL: https://issues.apache.org/jira/browse/FTPSERVER-486
>             Project: FtpServer
>          Issue Type: Bug
>          Components: Core
>    Affects Versions: 1.1.1
>         Environment: test on macOS High Sierra 10.13.4, but not relevant
>            Reporter: Yannic Noller
>            Assignee: Emmanuel Lecharny
>            Priority: Major
>              Labels: easyfix, pull-request-available
>             Fix For: 1.1.2
>
>   Original Estimate: 24h
>  Remaining Estimate: 24h
>
> Dear Apache FTPServer developers,
> We have found a timing side-channel in class org.apache.ftpserver.util.StringUtils, method
"public final static String pad(String src, char padChar, boolean rightPad, int totalLength)".
This method leaks the necessary padding in a timing side channel, from which a potential attacker
could obtain the length of the src String. In your project this method is used to add padding
to a username, hence, a potential attacker could obtain the length of a given username, which
might be used for further attacks.
> Do you agree with our findings?
> We found this class in the latest version of your git repo: https://git-wip-us.apache.org/repos/asf?p=mina-ftpserver.git;a=summary
> As a secure fix we would recommend to use a variant of the equals method, which does
iterate the complete strings in the case of the same string lengths, independent from whether
they do match or not:
>    public final static String pad_safe(String src, char padChar, boolean rightPad, int
totalLength) {
>        int srcLength = src.length();
>        if (srcLength >= totalLength) {
>            return src;
>        }
>        int padLength = totalLength - srcLength;
>        StringBuilder sb = new StringBuilder(padLength);
>        for (int i = 0; i < totalLength; ++i) {
>            if (i < padLength) {
>                sb.append(padChar);
>            } else {
>                sb.append("");
>            }
>        }
>        if (rightPad) {
>            return src + sb.toString();
>        } else {
>            return sb.toString() + src;
>        }
>    }
> Do you agree with our patch proposal?
> Please feel free to contact us for further clarification! You can reach us by the following
email address:
> yannic.noller@informatik.hu-berlin.de
> Best regards,
> Yannic Noller



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message