[jira] [Closed] (LANG-806) RandomStringUtils can enter infinite loop if chosen char does not meet letter/digit requirements

Thu, 25 May 2017 06:00:22 -0700 

     [ 
https://issues.apache.org/jira/browse/LANG-806?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Pascal Schumacher closed LANG-806.
----------------------------------
       Resolution: Won't Fix
         Assignee: Pascal Schumacher
    Fix Version/s:     (was: Review Patch)

RandomStringUtils will be deprecated in commons-lang 3.6 in favor of 
RandomStringGenerator from commons-text. Please use 
[RandomStringGenerator|https://commons.apache.org/proper/commons-text/javadocs/api-release/org/apache/commons/text/RandomStringGenerator.html]
 instead.

> RandomStringUtils can enter infinite loop if chosen char does not meet 
> letter/digit requirements
> ------------------------------------------------------------------------------------------------
>
>                 Key: LANG-806
>                 URL: https://issues.apache.org/jira/browse/LANG-806
>             Project: Commons Lang
>          Issue Type: Bug
>          Components: lang.*
>    Affects Versions: 2.6, 3.1
>            Reporter: Sebb
>            Assignee: Pascal Schumacher
>         Attachments: LANG-806.patch, RandomStringException.java
>
>
> An infinite loop can result if the selection process never returns a char 
> that passes the validation test.
> This can occur if the subset specified by the start and end characters does 
> not contain any valid characters.
> For example:
> {code:java}
> RandomStringUtils.random(3, 5, 10, true, true); // 1
> RandomStringUtils.random(3, 56192, 56319, false, false); // 2
> {code}
> There's also the case where only surrogates are allowed, but the buffer is 
> not an even number of characters, for example:
> {code:java}
> RandomStringUtils.random(3, 56320, 57343, false, false); // 3
> {code}
> The second example is easy to detect, but in general it does not seem easy to 
> determine in advance if the subset contains any valid characters - except by 
> evaluating all the possible char values. This would be expensive if the 
> subset range is large.
> One possibility is to count the total number of loops (or retries), and throw 
> an error if it exceeds a given value. Or count the number of consecutive 
> retries.
> In both cases the threshold value must be set high enough to allow for the 
> cases where the allowable char range contains only a small proportion of 
> valid characters. 
> In the case of digits only, the default allowable range is currently set to 
> digits + letters, so the proportion of valid chars is 10/90 i.e. approx 11%.
> A minimum proportion of 1% or 0.1% would be necessary to reduce the number of 
> false positives.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to