-
Notifications
You must be signed in to change notification settings - Fork 3.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use hmac for token hashes to avoid collisions #11101
Conversation
We'll have to mention in the release notes that security component tokens changed, and that existing tokens will become invalid. |
Codecov Report
@@ Coverage Diff @@
## master #11101 +/- ##
============================================
+ Coverage 94.89% 95.03% +0.14%
- Complexity 12841 13336 +495
============================================
Files 437 437
Lines 32742 34026 +1284
============================================
+ Hits 31070 32338 +1268
- Misses 1672 1688 +16
Continue to review full report at Codecov.
|
Additional PR created targeting this PRs branch see #11151 |
Add user specifc data to token hash to avoid privilige escalation
Moving to 3.6 as the risk of breaking user form submissions is high enough. |
Use hmac for token hashes to avoid collisions,
Also includes changes of #11151 now, making token hash user specific to avoid privilege escalation