New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

#java# 规范错误的十六进制串联增补修订建议 #16

Open

k4n5ha0 opened this issue May 24, 2021 · 0 comments

k4n5ha0 commented May 24, 2021

将包含哈希签名的字节数组转换为人类可读的字符串时，如果逐字节读取该数组，则可能会发生转换错误。所有对于数据格式化的操作应优先使用规范的数据格式化处理机制。

脆弱代码：

MessageDigest md = MessageDigest.getInstance("SHA-256");
byte[] resultBytes = md.digest(password.getBytes("UTF-8"));

StringBuilder stringBuilder = new StringBuilder();
for(byte b :resultBytes) {
	stringBuilder.append( Integer.toHexString( b & 0xFF ) );
}
return stringBuilder.toString();

对于上述功能，哈希值 “0x0679” 和 “0x6709” 都将输出为 “679”

解决方案：

stringBuilder.append(String.format("%02X", b));

The text was updated successfully, but these errors were encountered:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment