[ https://issues.apache.org/jira/browse/LANG-806?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Pascal Schumacher closed LANG-806. ---------------------------------- Resolution: Won't Fix Assignee: Pascal Schumacher Fix Version/s: (was: Review Patch) RandomStringUtils will be deprecated in commons-lang 3.6 in favor of RandomStringGenerator from commons-text. Please use [RandomStringGenerator|https://commons.apache.org/proper/commons-text/javadocs/api-release/org/apache/commons/text/RandomStringGenerator.html] instead. > RandomStringUtils can enter infinite loop if chosen char does not meet > letter/digit requirements > ------------------------------------------------------------------------------------------------ > > Key: LANG-806 > URL: https://issues.apache.org/jira/browse/LANG-806 > Project: Commons Lang > Issue Type: Bug > Components: lang.* > Affects Versions: 2.6, 3.1 > Reporter: Sebb > Assignee: Pascal Schumacher > Attachments: LANG-806.patch, RandomStringException.java > > > An infinite loop can result if the selection process never returns a char > that passes the validation test. > This can occur if the subset specified by the start and end characters does > not contain any valid characters. > For example: > {code:java} > RandomStringUtils.random(3, 5, 10, true, true); // 1 > RandomStringUtils.random(3, 56192, 56319, false, false); // 2 > {code} > There's also the case where only surrogates are allowed, but the buffer is > not an even number of characters, for example: > {code:java} > RandomStringUtils.random(3, 56320, 57343, false, false); // 3 > {code} > The second example is easy to detect, but in general it does not seem easy to > determine in advance if the subset contains any valid characters - except by > evaluating all the possible char values. This would be expensive if the > subset range is large. > One possibility is to count the total number of loops (or retries), and throw > an error if it exceeds a given value. Or count the number of consecutive > retries. > In both cases the threshold value must be set high enough to allow for the > cases where the allowable char range contains only a small proportion of > valid characters. > In the case of digits only, the default allowable range is currently set to > digits + letters, so the proportion of valid chars is 10/90 i.e. approx 11%. > A minimum proportion of 1% or 0.1% would be necessary to reduce the number of > false positives. -- This message was sent by Atlassian JIRA (v6.3.15#6346)