-
Notifications
You must be signed in to change notification settings - Fork 58
Use secure_compare when checking CSRF token #98
Conversation
Since string comparisions may return early we want to use a constant time comparsion function to protect the CSRF token against timing attacks. Rack::Utils provides a such function.
|
|
|
Sorry, I'm only just catching up on this issue. My guess is that we have to stay backwards-compatible with older versions of rack. @zzak Thoughts? |
|
@kytrinyx Good question, maybe we should provide our own shim for this method (if possible). |
|
Yeah, that might be the way to go. |
|
I have updated the pull request with the method copied from Rack::Utils so it will work with older versions of Rack too. Does this solution seem ok? |
Since string comparisions may return early we want to use a constant time comparsion function to protect the CSRF token against timing attacks. Rack::Utils provides a such function.
|
I have assigned CVE-2018-1000119 for this issue. |
|
@kseifriedredhat The fix was picked into 1.5.5 as well: 06f1b5d. https://nvd.nist.gov/vuln/detail/CVE-2018-1000119 doesn't reflect that. |
|
Who should be notified to update nvd.nist.gov/vuln/detail/CVE-2018-1000119 ? |
|
NVD pulls from MITRE's CVE Database (e.g. https://cve.mitre.org / https://github.com/cveproject/cvelist/) so it's up to NVD to notice and process this. You are free to contact the NVD and ask them to hurry up. |
|
Ah, then I guess this needs fixing: https://github.com/CVEProject/cvelist/blob/master/2018/1000xxx/CVE-2018-1000119.json |
|
I already updated it. |
|
Thanks! I guess the change hasn't propagated to GitHub yet as it is still notifying me about this vulnerability. I'll just wait for that to happen. |
|
CVE processes the data, NVD then pulls and processes the data (this is opaque to me) and then GitHUB pulls and processes the data (this is opaque to me) so it can definitely take a while. |
|
Ah, that certainly explains the delay. Thanks for the info! |
Since string comparisions may return early we want to use a constant
time comparsion function to protect the CSRF token against timing
attacks. Rack::Utils provides a such function.