]> source.dussan.org Git - vaadin-framework.git/commit
projects / vaadin-framework.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 885c229) | patch
fix: use time-constant comparison for CSRF tokens (#12188)
authorTatu Lund <tatu@vaadin.com>
Mon, 1 Feb 2021 15:51:22 +0000 (17:51 +0200)
committerGitHub <noreply@github.com>
Mon, 1 Feb 2021 15:51:22 +0000 (17:51 +0200)
commit7cb91b3b9995c92bfd2bfb694669f02d7fa44618
tree6fa40e1a5728a95947a2ab59e45124102f97104dtree | snapshot
parent885c2298fd709f4b05ee9fd4b38286c82c37cd1ecommit | diff
fix: use time-constant comparison for CSRF tokens (#12188)

This hardens the framework against a theoretical timing attack based on
comparing how quickly a request with an invalid CSRF token is rejected.

Cherry-picked from: https://github.com/vaadin/flow/pull/9875
server/src/main/java/com/vaadin/server/VaadinService.java diff | blob | history
uitest/src/test/java/com/vaadin/tests/VerifyBrowserVersionTest.java diff | blob | history
Vaadin 6, 7, 8 is a Java framework for modern Java web applications: https://github.com/vaadin/framework