Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Invalid secret request keeps following valid one from being processed #3001
A short walkthrough of the issue that @jomuel found:
My question is how this should be handled:
The rationale here is, since the message is authenticated, we know it's the target who sent the message, if he sent an invalid
I think this is a bug, because in the past that would be fine, before there was no
Edit: So, in short, my opinion is that we should reject subsequent invalid secret requests. The reason is simple, we will never be able to differentiate from bugs to attacks, and then I believe assuming the later is safer.