Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use constant time comparisons for CSRF tokens #9291

Closed
rwinch opened this issue Dec 17, 2020 · 8 comments
Closed

Use constant time comparisons for CSRF tokens #9291

rwinch opened this issue Dec 17, 2020 · 8 comments
Assignees
@rwinch
Labels
in: web An issue in web modules (web, webmvc) status: backported An issue that has been backported to maintenance branches type: enhancement A general enhancement
Milestone
5.5.0-M2

Comments

@rwinch
Copy link
Member

rwinch commented Dec 17, 2020
edited
Loading

While it is not a practical exploit at this point, it is best to be defensive. We should change CSRF token comparison to use a constant time comparison to avoid side channel attacks.

NOTE: This was originally reported via Xhelal Likaj, xhelallikaj20@gmail.com
@rwinch rwinch added in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement labels Dec 17, 2020
@rwinch rwinch closed this as completed in 40e027c Dec 17, 2020
@rwinch rwinch self-assigned this Dec 17, 2020
@rwinch rwinch added this to the 5.5.0-M2 milestone Dec 17, 2020
@ogarber
Copy link

ogarber commented Jan 4, 2021

Hi @rwinch , I have a question: will this fix also be merged in the older pipe-lines (I'm interesting in 5.2.x...).
Thank you in advance

@ogarber
Copy link

ogarber commented Jan 12, 2021

Hi @rwinch , sorry for annoying...
Did you see my previous comment?

@itsmevj
Copy link

itsmevj commented Jan 20, 2021
edited
Loading

Hi @rwinch, will this fix will be merged in older versions like 5.2.x or when can we expect this release

rwinch pushed a commit that referenced this issue Jan 20, 2021
@rwinch
Constant Time Comparison for CSRF tokens
acb5ae6 
Closes gh-9291
@spring-projects-issues spring-projects-issues added the status: backported An issue that has been backported to maintenance branches label Jan 20, 2021
Closed
rwinch pushed a commit that referenced this issue Jan 20, 2021
@rwinch
Constant Time Comparison for CSRF tokens
e6d6b39 
Closes gh-9291
Closed
rwinch pushed a commit that referenced this issue Jan 20, 2021
@rwinch
Constant Time Comparison for CSRF tokens
1181740 
Closes gh-9291
Closed
@rwinch
Copy link
Member Author

rwinch commented Jan 20, 2021

I have backported the issue (see the linked issues). Each issue has a milestone with the expected release date.

@ogarber
Copy link

ogarber commented Jan 21, 2021

Thank you @rwinch !

@mend-for-github-com mend-for-github-com bot mentioned this issue Apr 14, 2021
Closed
This was referenced Apr 14, 2021
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
@mend-bolt-for-github mend-bolt-for-github bot mentioned this issue Jun 23, 2021
Closed
This was referenced Jul 29, 2021
Open
Open
@mend-bolt-for-github mend-bolt-for-github bot mentioned this issue Jul 29, 2021
Closed
This was referenced Aug 20, 2021
Closed
Open
@mend-for-github-com mend-for-github-com bot mentioned this issue Sep 6, 2021
Open
@mend-for-github-com mend-for-github-com bot mentioned this issue Sep 28, 2021
Open
@mend-bolt-for-github mend-bolt-for-github bot mentioned this issue Oct 28, 2021
Closed
This was referenced Nov 3, 2021
Closed
Open
Closed
@mend-for-github-com mend-for-github-com bot mentioned this issue Nov 11, 2021
Closed
@mend-bolt-for-github mend-bolt-for-github bot mentioned this issue Nov 12, 2021
Open
@mend-bolt-for-github mend-bolt-for-github bot mentioned this issue Dec 2, 2021
Open
@mend-for-github-com mend-for-github-com bot mentioned this issue Dec 7, 2021
Open
@mend-bolt-for-github mend-bolt-for-github bot mentioned this issue Dec 30, 2021
Open
@mend-bolt-for-github mend-bolt-for-github bot mentioned this issue Feb 15, 2022
Closed
@mend-bolt-for-github mend-bolt-for-github bot mentioned this issue Mar 7, 2022
Closed
@mend-bolt-for-github mend-bolt-for-github bot mentioned this issue Mar 23, 2022
Open
This was referenced Mar 31, 2022
Closed
Open
@dev-mend-for-github-com dev-mend-for-github-com bot mentioned this issue Apr 8, 2022
Closed
@mend-for-github-com mend-for-github-com bot mentioned this issue Apr 11, 2022
Closed
@mend-for-github-com mend-for-github-com bot mentioned this issue Apr 18, 2022
Open
@mend-for-github-com mend-for-github-com bot mentioned this issue May 2, 2022
Open
@mend-bolt-for-github mend-bolt-for-github bot mentioned this issue May 4, 2022
Open
@mend-bolt-for-github mend-bolt-for-github bot mentioned this issue May 31, 2022
Open
@sureng-whitesource-app sureng-whitesource-app bot mentioned this issue Jul 22, 2022
Open
@joshn-whitesource-app joshn-whitesource-app bot mentioned this issue Dec 27, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rwinch rwinch

Labels
in: web An issue in web modules (web, webmvc) status: backported An issue that has been backported to maintenance branches type: enhancement A general enhancement
Projects
None yet
Milestone
5.5.0-M2
Development

No branches or pull requests
5 participants
@rwinch @spring-projects-issues @andydkelly-ig @itsmevj @ogarber