[SECURITY-245] Use US-ASCII to prevent charset issues

76d1958e · Daniel Beck · 281cd6c6 · 76d1958e
隐藏空白更改
内联并排

Showing with 3 addition and 1 deletion

core/src/main/java/hudson/security/csrf/DefaultCrumbIssuer.java ...rc/main/java/hudson/security/csrf/DefaultCrumbIssuer.java +3 -1

未找到文件。
--- a/core/src/main/java/hudson/security/csrf/DefaultCrumbIssuer.java
+++ b/core/src/main/java/hudson/security/csrf/DefaultCrumbIssuer.java
@@ -5,6 +5,7 @@
 */
 package hudson.security.csrf;

+import java.nio.charset.Charset;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 import java.util.logging.Level;
@@ -96,7 +97,8 @@ public class DefaultCrumbIssuer extends CrumbIssuer {
            String newCrumb = issueCrumb(request, salt);
            if ((newCrumb != null) && (crumb != null)) {
                // String.equals() is not constant-time, but this is
-                return MessageDigest.isEqual(newCrumb.getBytes(), crumb.getBytes());
+                return MessageDigest.isEqual(newCrumb.getBytes(Charset.forName("US-ASCII")),
+                        crumb.getBytes(Charset.forName("US-ASCII")));
            }
        }
        return false;