Skip to content

fix: use time-constant comparison for security tokens#12192

Merged
Ansku merged 7 commits into7.7from
csrf-fix3
Feb 3, 2021
Merged

fix: use time-constant comparison for security tokens#12192
Ansku merged 7 commits into7.7from
csrf-fix3

Conversation

@TatuLund
Copy link
Contributor

@TatuLund TatuLund commented Jan 28, 2021
edited by Artur-
Loading

This is the same as #12190, but also applied for the upload security key
and the push id since both of those are also used to protect against
cross-site attacks. In addition, documentation for the push id is
clarified to point out its role.

Back porting of #12189

This change is Reviewable

@TatuLund
fix: use time-constant comparison for security tokens
6712fde 
This is the same as #12190, but also applied for the upload security key
and the push id since both of those are also used to protect against
cross-site attacks. In addition, documentation for the push id is
clarified to point out its role.
@TatuLund
Add PushHandler fix
8461f04
@TatuLund
Added comment
14e2be3
@TatuLund TatuLund added the v7 label Jan 28, 2021
Ansku
Ansku approved these changes Feb 3, 2021
View reviewed changes
Copy link
Member

@Ansku Ansku left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:lgtm:

Reviewed 4 of 4 files at r1.
Reviewable status: :shipit: complete! all files reviewed, all discussions resolved

@Ansku Ansku merged commit d0d2cfb into 7.7 Feb 3, 2021
@Ansku Ansku deleted the csrf-fix3 branch February 3, 2021 14:52
@tarekoraby tarekoraby added this to the 7.7.24 milestone Feb 11, 2021
rjahn added a commit to rjahn/vaadin that referenced this pull request Apr 24, 2025
@rjahn
fix: use time-constant comparison for security tokens (vaadin#12192)
1232ce8 
This is the same as vaadin#12190, but also applied for the upload security key
and the push id since both of those are also used to protect against
cross-site attacks. In addition, documentation for the push id is
clarified to point out its role.

Backporting of vaadin#12189
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Ansku Ansku Ansku approved these changes

Assignees

No one assigned

Labels

v7

Projects

None yet

Milestone

7.7.24

Development

Successfully merging this pull request may close these issues.

3 participants

@TatuLund @Ansku @tarekoraby