9 年前 · da87d5d966
--- a/src/com/jfinal/kit/HashKit.java
+++ b/src/com/jfinal/kit/HashKit.java
@@ -22,6 +22,7 @@ public class HashKit {
 
				 	

			
 
				 	private static final java.security.SecureRandom random = new java.security.SecureRandom();

			
 
				 	private static final char[] HEX_DIGITS = {'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'};

			
 
				+	private static final char[] CHAR_ARRAY = "_-0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ".toCharArray();

			
 
				 	

			
 
				 	public static String md5(String srcStr){

			
 
				 		return hash("MD5", srcStr);

			
@@ -67,14 +68,36 @@ public class HashKit {
 
				 	 * md5 128bit 16bytes

			
 
				 	 * sha1 160bit 20bytes

			
 
				 	 * sha256 256bit 32bytes

			
 
				-	 * sha384 384bit 48bites

			
 
				-	 * sha512 512bit 64bites

			
 
				+	 * sha384 384bit 48bytes

			
 
				+	 * sha512 512bit 64bytes

			
 
				 	 */

			
 
				-	public static String generateSalt(int numberOfBytes) {

			
 
				-		byte[] salt = new byte[numberOfBytes];

			
 
				-		random.nextBytes(salt);

			
 
				-		return toHex(salt);

			
 
				+	public static String generateSalt(int saltLength) {

			
 
				+		StringBuilder salt = new StringBuilder();

			
 
				+		for (int i=0; i<saltLength; i++) {

			
 
				+			salt.append(CHAR_ARRAY[random.nextInt(CHAR_ARRAY.length)]);

			
 
				+		}

			
 
				+		return salt.toString();

			
 
				+	}

			
 
				+	

			
 
				+	public static String generateSaltForSha256() {

			
 
				+		return generateSalt(32);

			
 
				+	}

			
 
				+	

			
 
				+	public static String generateSaltForSha512() {

			
 
				+		return generateSalt(64);

			
 
				 	}

			
 
				+	

			
 
				+	public static boolean slowEquals(byte[] a, byte[] b) {

			
 
				+		if (a == null || b == null) {

			
 
				+			return false;

			
 
				+		}

			
 
				+		

			
 
				+		int diff = a.length ^ b.length;

			
 
				+		for(int i=0; i<a.length && i<b.length; i++) {

			
 
				+			diff |= a[i] ^ b[i];

			
 
				+		}

			
 
				+		return diff == 0;

			
 
				+    }

			
 
				 }

			
 
				 

			
 
				 

			
--- a/src/com/jfinal/render/CaptchaRender.java
+++ b/src/com/jfinal/render/CaptchaRender.java
@@ -40,6 +40,14 @@ import com.jfinal.render.Render;
 
				 public class CaptchaRender extends Render {

			
 
				 

			
 
				 	private static String captchaName = "_jfinal_captcha";

			
 
				+	private static String salt = HashKit.generateSaltForSha256();

			
 
				+	

			
 
				+	public static void setSalt(String salt) {

			
 
				+		if (StrKit.isBlank(salt)) {

			
 
				+			throw new IllegalArgumentException("salt can not be blank.");

			
 
				+		}

			
 
				+		CaptchaRender.salt = salt;

			
 
				+	}

			
 
				 

			
 
				 	// 默认的验证码大小

			
 
				 	private static final int WIDTH = 108, HEIGHT = 40;

			
@@ -72,7 +80,7 @@ public class CaptchaRender extends Render {
 
				 		BufferedImage image = new BufferedImage(WIDTH, HEIGHT, BufferedImage.TYPE_INT_RGB);

			
 
				 		String vCode = drawGraphic(image);

			
 
				 		vCode = vCode.toUpperCase();	// 转成大写重要

			
 
				-		vCode = HashKit.md5(vCode);

			
 
				+		vCode = HashKit.md5(salt + vCode);

			
 
				 		Cookie cookie = new Cookie(captchaName, vCode);

			
 
				 		cookie.setMaxAge(-1);

			
 
				 		cookie.setPath("/");

			
@@ -196,7 +204,7 @@ public class CaptchaRender extends Render {
 
				 		}

			
 
				 		

			
 
				 		userInputCaptcha = userInputCaptcha.toUpperCase();	// 转成大写重要

			
 
				-		userInputCaptcha = HashKit.md5(userInputCaptcha);

			
 
				+		userInputCaptcha = HashKit.md5(salt + userInputCaptcha);

			
 
				 		boolean result = userInputCaptcha.equals(controller.getCookie(captchaName));

			
 
				 		if (result == true) {

			
 
				 			controller.removeCookie(captchaName);