Skip to content

Vaadin Flow 2.4.6
Compare
Choose a tag to compare
@vaadin-bot vaadin-bot released this 29 Jan 14:09
· 22 commits to 2.4 since this release
2.4.6
9c683ad

Vaadin Flow 2.4.6

Changes in Flow from 2.4.5

  • Fixes:

    • Use time-constant comparison for security tokens. PR:9896 Thanks to Xhelal Likaj for reporting this

      This is the same as #9875, but also applied for the upload security key and the push id since both of those are also used to protect against cross-site attacks. In addition, documentation for the push id is clarified to point out its role.

    • Use time-constant comparison for CSRF tokens. PR:9875 Thanks to Xhelal Likaj for reporting this

      This hardens the framework against a theoretical timing attack based on comparing how quickly a request with an invalid CSRF token is rejected.

Assets 2