diff --git a/web/src/main/java/org/springframework/security/web/csrf/XorCsrfTokenRequestAttributeHandler.java b/web/src/main/java/org/springframework/security/web/csrf/XorCsrfTokenRequestAttributeHandler.java index 0a1a42d3a3..d5699dff2e 100644 --- a/web/src/main/java/org/springframework/security/web/csrf/XorCsrfTokenRequestAttributeHandler.java +++ b/web/src/main/java/org/springframework/security/web/csrf/XorCsrfTokenRequestAttributeHandler.java @@ -97,7 +97,7 @@ public final class XorCsrfTokenRequestAttributeHandler extends CsrfTokenRequestA System.arraycopy(actualBytes, randomBytesSize, xoredCsrf, 0, tokenSize); byte[] csrfBytes = xorCsrf(randomBytes, xoredCsrf); - return Utf8.decode(csrfBytes); + return (csrfBytes != null) ? Utf8.decode(csrfBytes) : null; } private static String createXoredCsrfToken(SecureRandom secureRandom, String token) { @@ -114,6 +114,9 @@ public final class XorCsrfTokenRequestAttributeHandler extends CsrfTokenRequestA } private static byte[] xorCsrf(byte[] randomBytes, byte[] csrfBytes) { + if (csrfBytes.length < randomBytes.length) { + return null; + } int len = Math.min(randomBytes.length, csrfBytes.length); byte[] xoredCsrf = new byte[len]; System.arraycopy(csrfBytes, 0, xoredCsrf, 0, csrfBytes.length); diff --git a/web/src/test/java/org/springframework/security/web/csrf/XorCsrfTokenRequestAttributeHandlerTests.java b/web/src/test/java/org/springframework/security/web/csrf/XorCsrfTokenRequestAttributeHandlerTests.java index 97e1d67cae..acad523c74 100644 --- a/web/src/test/java/org/springframework/security/web/csrf/XorCsrfTokenRequestAttributeHandlerTests.java +++ b/web/src/test/java/org/springframework/security/web/csrf/XorCsrfTokenRequestAttributeHandlerTests.java @@ -208,6 +208,14 @@ public class XorCsrfTokenRequestAttributeHandlerTests { assertThat(tokenValue).isEqualTo(this.token.getToken()); } + @Test + public void resolveCsrfTokenIsInvalidThenReturnsNull() { + this.request.setParameter(this.token.getParameterName(), XOR_CSRF_TOKEN_VALUE); + CsrfToken csrfToken = new DefaultCsrfToken("headerName", "paramName", "a"); + String tokenValue = this.handler.resolveCsrfTokenValue(this.request, csrfToken); + assertThat(tokenValue).isNull(); + } + private static Answer fillByteArray() { return (invocation) -> { byte[] bytes = invocation.getArgument(0);