From b201c85c2cda4965bb5121597d5351f9bc962181 Mon Sep 17 00:00:00 2001
From: Chad <chad.d.currie@gmail.com>
Date: Thu, 2 Sep 2021 02:08:20 +1200
Subject: [PATCH] Dispose RNGCryptoServiceProvider (#11001)

---
 .../Security/MachineKeyGenerator.cs           | 14 ++--
 .../Security/MembershipProviderBase.cs        | 70 ++++++++++---------
 2 files changed, 45 insertions(+), 39 deletions(-)

diff --git a/src/Umbraco.Core/Security/MachineKeyGenerator.cs b/src/Umbraco.Core/Security/MachineKeyGenerator.cs
index a20f04c919..848c7a0983 100644
--- a/src/Umbraco.Core/Security/MachineKeyGenerator.cs
+++ b/src/Umbraco.Core/Security/MachineKeyGenerator.cs
@@ -71,14 +71,16 @@ namespace Umbraco.Core.Security
         private string GenerateKey(int len = 64)
         {
             var buff = new byte[len / 2];
-            var rng = new RNGCryptoServiceProvider();
-            rng.GetBytes(buff);
-            var sb = new StringBuilder(len);
+            using (var rng = new RNGCryptoServiceProvider())
+            {
+                rng.GetBytes(buff);
+                var sb = new StringBuilder(len);
 
-            for (int i = 0; i < buff.Length; i++)
-                sb.Append(string.Format("{0:X2}", buff[i]));
+                for (int i = 0; i < buff.Length; i++)
+                    sb.Append(string.Format("{0:X2}", buff[i]));
 
-            return sb.ToString();
+                return sb.ToString();
+            }
         }
     }
 }
diff --git a/src/Umbraco.Core/Security/MembershipProviderBase.cs b/src/Umbraco.Core/Security/MembershipProviderBase.cs
index 0bc8de492a..1747b5a939 100644
--- a/src/Umbraco.Core/Security/MembershipProviderBase.cs
+++ b/src/Umbraco.Core/Security/MembershipProviderBase.cs
@@ -703,44 +703,46 @@ namespace Umbraco.Core.Security
 
             if (PasswordFormat == MembershipPasswordFormat.Hashed)
             {
-                var hashAlgorithm = GetHashAlgorithm(pass);
-                var algorithm = hashAlgorithm as KeyedHashAlgorithm;
-                if (algorithm != null)
+                using (var hashAlgorithm = GetHashAlgorithm(pass))
                 {
-                    var keyedHashAlgorithm = algorithm;
-                    if (keyedHashAlgorithm.Key.Length == saltBytes.Length)
+                    var algorithm = hashAlgorithm as KeyedHashAlgorithm;
+                    if (algorithm != null)
                     {
-                        //if the salt bytes is the required key length for the algorithm, use it as-is
-                        keyedHashAlgorithm.Key = saltBytes;
-                    }
-                    else if (keyedHashAlgorithm.Key.Length < saltBytes.Length)
-                    {
-                        //if the salt bytes is too long for the required key length for the algorithm, reduce it
-                        var numArray2 = new byte[keyedHashAlgorithm.Key.Length];
-                        Buffer.BlockCopy(saltBytes, 0, numArray2, 0, numArray2.Length);
-                        keyedHashAlgorithm.Key = numArray2;
+                        var keyedHashAlgorithm = algorithm;
+                        if (keyedHashAlgorithm.Key.Length == saltBytes.Length)
+                        {
+                            //if the salt bytes is the required key length for the algorithm, use it as-is
+                            keyedHashAlgorithm.Key = saltBytes;
+                        }
+                        else if (keyedHashAlgorithm.Key.Length < saltBytes.Length)
+                        {
+                            //if the salt bytes is too long for the required key length for the algorithm, reduce it
+                            var numArray2 = new byte[keyedHashAlgorithm.Key.Length];
+                            Buffer.BlockCopy(saltBytes, 0, numArray2, 0, numArray2.Length);
+                            keyedHashAlgorithm.Key = numArray2;
+                        }
+                        else
+                        {
+                            //if the salt bytes is too short for the required key length for the algorithm, extend it
+                            var numArray2 = new byte[keyedHashAlgorithm.Key.Length];
+                            var dstOffset = 0;
+                            while (dstOffset < numArray2.Length)
+                            {
+                                var count = Math.Min(saltBytes.Length, numArray2.Length - dstOffset);
+                                Buffer.BlockCopy(saltBytes, 0, numArray2, dstOffset, count);
+                                dstOffset += count;
+                            }
+                            keyedHashAlgorithm.Key = numArray2;
+                        }
+                        inArray = keyedHashAlgorithm.ComputeHash(bytes);
                     }
                     else
                     {
-                        //if the salt bytes is too short for the required key length for the algorithm, extend it
-                        var numArray2 = new byte[keyedHashAlgorithm.Key.Length];
-                        var dstOffset = 0;
-                        while (dstOffset < numArray2.Length)
-                        {
-                            var count = Math.Min(saltBytes.Length, numArray2.Length - dstOffset);
-                            Buffer.BlockCopy(saltBytes, 0, numArray2, dstOffset, count);
-                            dstOffset += count;
-                        }
-                        keyedHashAlgorithm.Key = numArray2;
+                        var buffer = new byte[saltBytes.Length + bytes.Length];
+                        Buffer.BlockCopy(saltBytes, 0, buffer, 0, saltBytes.Length);
+                        Buffer.BlockCopy(bytes, 0, buffer, saltBytes.Length, bytes.Length);
+                        inArray = hashAlgorithm.ComputeHash(buffer);
                     }
-                    inArray = keyedHashAlgorithm.ComputeHash(bytes);
-                }
-                else
-                {
-                    var buffer = new byte[saltBytes.Length + bytes.Length];
-                    Buffer.BlockCopy(saltBytes, 0, buffer, 0, saltBytes.Length);
-                    Buffer.BlockCopy(bytes, 0, buffer, saltBytes.Length, bytes.Length);
-                    inArray = hashAlgorithm.ComputeHash(buffer);
                 }
             }
             else
@@ -850,7 +852,9 @@ namespace Umbraco.Core.Security
         protected internal static string GenerateSalt()
         {
             var numArray = new byte[16];
-            new RNGCryptoServiceProvider().GetBytes(numArray);
+            using (var rng = new RNGCryptoServiceProvider()) {
+                rng.GetBytes(numArray);
+            }
             return Convert.ToBase64String(numArray);
         }