[FIX SECURITY-241] Compare API tokens in constant time

jenkinsci · Jan 26, 2016 · 79e0b64 · 79e0b64
1 parent 536c01b
commit 79e0b64
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/core/src/main/java/jenkins/security/ApiTokenProperty.java b/core/src/main/java/jenkins/security/ApiTokenProperty.java
@@ -41,6 +41,7 @@
 import org.kohsuke.stapler.StaplerResponse;
 
 import java.io.IOException;
+import java.security.MessageDigest;
 import java.security.SecureRandom;
 import javax.annotation.Nonnull;
 import org.apache.commons.lang.StringUtils;
@@ -109,7 +110,8 @@ public String getApiToken() {
     }
 
     public boolean matchesPassword(String password) {
-        return  getApiTokenInsecure().equals(password);
+        String token = getApiTokenInsecure();
+        return MessageDigest.isEqual(password.getBytes(), token.getBytes());
     }
 
     private boolean hasPermissionToSeeToken() {