From 10955c0d72fc11324cebcb2bd8fe4bf56f0f8887 Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Fri, 27 Sep 2013 12:49:53 +0200 Subject: [PATCH] Do not use algorithm name as regular expression In org.codehaus.plexus.digest.DigestUtils.cleanChecksum(String, String, String), the second parameter is used as part of the regular expression. Compiling the resulting regular expression can result in a VM error with a crafted algorithm name. The regular expression should be a constant, with a capture group for the algorithm name, and the name should be checked after matching. Originally reported by Florian Weimer in: https://bugzilla.redhat.com/show_bug.cgi?id=959454 --- src/main/java/org/codehaus/plexus/digest/DigestUtils.java | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/src/main/java/org/codehaus/plexus/digest/DigestUtils.java b/src/main/java/org/codehaus/plexus/digest/DigestUtils.java index a54a8c0..430c3a8 100644 --- a/src/main/java/org/codehaus/plexus/digest/DigestUtils.java +++ b/src/main/java/org/codehaus/plexus/digest/DigestUtils.java @@ -51,16 +51,17 @@ public class DigestUtils String trimmedChecksum = checksum.replace( '\n', ' ' ).trim(); // Free-BSD / openssl - String regex = algorithm.replaceAll( "-", "" ) + "\\s*\\((.*?)\\)\\s*=\\s*([a-fA-F0-9]+)"; + algorithm = algorithm.replaceAll( "-", "" ); + String regex = "(.{" + algorithm.length() + "})\\s*\\((.*?)\\)\\s*=\\s*([a-fA-F0-9]+)"; Matcher m = Pattern.compile( regex ).matcher( trimmedChecksum ); - if ( m.matches() ) + if ( m.matches() && m.group( 1 ).equals( algorithm ) ) { - String filename = m.group( 1 ); + String filename = m.group( 2 ); if ( !isValidChecksumPattern( filename, path ) ) { throw new DigesterException( "Supplied checksum does not match checksum pattern" ); } - trimmedChecksum = m.group( 2 ); + trimmedChecksum = m.group( 3 ); } else { -- 1.8.3.1