]> source.dussan.org Git - vaadin-framework.git/commit
projects / vaadin-framework.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: b4f0112) | patch
fix: use time-constant comparison for security tokens (#12189)
authorTatu Lund <tatu@vaadin.com>
Fri, 29 Jan 2021 11:32:09 +0000 (13:32 +0200)
committerGitHub <noreply@github.com>
Fri, 29 Jan 2021 11:32:09 +0000 (13:32 +0200)
commit885c2298fd709f4b05ee9fd4b38286c82c37cd1e
treed1ff791f691c30f7e2b602e16f25665bd8384cf3tree | snapshot
parentb4f011230fd5c9d56a0dd7ad7c00c584e25ee990commit | diff
fix: use time-constant comparison for security tokens (#12189)

This is the same as https://github.com/vaadin/framework/pull/12188,
but also applied for the upload security key
and the push id since both of those are also used to protect against
cross-site attacks. In addition, documentation for the push id is
clarified to point out its role.

Cherry-picked from: https://github.com/vaadin/flow/pull/9896
server/src/main/java/com/vaadin/server/VaadinSession.java diff | blob | history
server/src/main/java/com/vaadin/server/communication/FileUploadHandler.java diff | blob | history
server/src/main/java/com/vaadin/server/communication/PushHandler.java diff | blob | history
Vaadin 6, 7, 8 is a Java framework for modern Java web applications: https://github.com/vaadin/framework