commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sebb (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (LANG-806) RandomStringUtils can enter infinite loop if chosen char does not meet letter/digit requirements
Date Sun, 10 Jun 2012 13:33:43 GMT

     [ https://issues.apache.org/jira/browse/LANG-806?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Sebb updated LANG-806:
----------------------

    Description: 
An infinite loop can result if the selection process never returns a char that passes the
validation test.

This can occur if the subset specified by the start and end characters does not contain any
valid characters.

For example:

RandomStringUtils.random(3, 5, 10, true, true); // 1

RandomStringUtils.random(3, 56192, 56319, false, false); // 2

There's also the case where only surrogates are allowed, but the buffer is not an even number
of characters, for example:

RandomStringUtils.random(3, 56320, 57343, false, false); // 3

The second example is easy to detect, but in general it does not seem easy to determine in
advance if the subset contains any valid characters - except by evaluating all the possible
char values. This would be expensive if the subset range is large.

One possibility is to count the total number of loops (or retries), and throw an error if
it exceeds a given value. Or count the number of consecutive retries.
In both cases the threshold value must be set high enough to allow for the cases where the
allowable char range contains only a small proportion of valid characters. 

In the case of digits only, the default allowable range is currently set to digits + letters,
so the proportion of valid chars is 10/90 i.e. approx 11%.

A minimum proportion of 1% or 0.1% would be necessary to reduce the number of false positives.

  was:
If numbers == true or digits == true, then an infinite loop can result if the selection process
never returns a char that passes the validation test.

This can occur with

RandomStringUtils.random(1, -1, 1, true, true)

because the gap is 2, i.e. random.nextInt(gap) + start == 0

This is trivial to fix; the code should check that start >=0 and end > start (unless
start==end==0).

It can also occur if the provided char array or array subset does not contain any valid chars.

    
> RandomStringUtils can enter infinite loop if chosen char does not meet letter/digit requirements
> ------------------------------------------------------------------------------------------------
>
>                 Key: LANG-806
>                 URL: https://issues.apache.org/jira/browse/LANG-806
>             Project: Commons Lang
>          Issue Type: Bug
>    Affects Versions: 2.6, 3.1
>            Reporter: Sebb
>            Assignee: Sebb
>
> An infinite loop can result if the selection process never returns a char that passes
the validation test.
> This can occur if the subset specified by the start and end characters does not contain
any valid characters.
> For example:
> RandomStringUtils.random(3, 5, 10, true, true); // 1
> RandomStringUtils.random(3, 56192, 56319, false, false); // 2
> There's also the case where only surrogates are allowed, but the buffer is not an even
number of characters, for example:
> RandomStringUtils.random(3, 56320, 57343, false, false); // 3
> The second example is easy to detect, but in general it does not seem easy to determine
in advance if the subset contains any valid characters - except by evaluating all the possible
char values. This would be expensive if the subset range is large.
> One possibility is to count the total number of loops (or retries), and throw an error
if it exceeds a given value. Or count the number of consecutive retries.
> In both cases the threshold value must be set high enough to allow for the cases where
the allowable char range contains only a small proportion of valid characters. 
> In the case of digits only, the default allowable range is currently set to digits +
letters, so the proportion of valid chars is 10/90 i.e. approx 11%.
> A minimum proportion of 1% or 0.1% would be necessary to reduce the number of false positives.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message