]> source.dussan.org Git - vaadin-framework.git/commit
projects / vaadin-framework.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 560cccc) | patch
fix: use time-constant comparison for CSRF tokens (#12188) (#12196)
authorAnna Koskinen <Ansku@users.noreply.github.com>
Wed, 3 Feb 2021 14:39:35 +0000 (16:39 +0200)
committerGitHub <noreply@github.com>
Wed, 3 Feb 2021 14:39:35 +0000 (16:39 +0200)
commit232961bb05c787b0355c74f08b7939f2ec9b294a
tree30e58b5d0a91dd05df6b7aebc67a1dd375cda2a6tree | snapshot
parent560cccc916ed8e9614712aff8720d3fdfe9a0ccccommit | diff
fix: use time-constant comparison for CSRF tokens (#12188) (#12196)

This hardens the framework against a theoretical timing attack based on
comparing how quickly a request with an invalid CSRF token is rejected.

Cherry-picked from: https://github.com/vaadin/flow/pull/9875

Authored-by: Tatu Lund <tatu@vaadin.com>
server/src/main/java/com/vaadin/server/VaadinService.java diff | blob | history
uitest/src/test/java/com/vaadin/tests/VerifyBrowserVersionTest.java diff | blob | history
Vaadin 6, 7, 8 is a Java framework for modern Java web applications: https://github.com/vaadin/framework