Vaadin Flow 2.4.6
Vaadin Flow 2.4.6
Changes in Flow from 2.4.5
- Fixes:
-
⧉ Use time-constant comparison for security tokens. PR:9896 Thanks to Xhelal Likaj for reporting this
This is the same as #9875, but also applied for the upload security key and the push id since both of those are also used to protect against cross-site attacks. In addition, documentation for the push id is clarified to point out its role.
-
⧉ Use time-constant comparison for CSRF tokens. PR:9875 Thanks to Xhelal Likaj for reporting this
This hardens the framework against a theoretical timing attack based on comparing how quickly a request with an invalid CSRF token is rejected.
-