[FIX SECURITY-245] Compare crumbs in constant time

jenkinsci · Jan 26, 2016 · 559566b · 559566b
1 parent 536c01b
commit 559566b
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/core/src/main/java/hudson/security/csrf/DefaultCrumbIssuer.java b/core/src/main/java/hudson/security/csrf/DefaultCrumbIssuer.java
@@ -95,7 +95,7 @@ public boolean validateCrumb(ServletRequest request, String salt, String crumb)
         if (request instanceof HttpServletRequest) {
             String newCrumb = issueCrumb(request, salt);
             if ((newCrumb != null) && (crumb != null)) {
-                return newCrumb.equals(crumb);
+                return MessageDigest.isEqual(newCrumb.getBytes(), crumb.getBytes());
             }
         }
         return false;