]> source.dussan.org Git - vaadin-framework.git/commit
projects / vaadin-framework.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: d0d2cfb) | patch
fix: use time-constant comparison for CSRF tokens (#12190)
authorTatu Lund <tatu@vaadin.com>
Thu, 4 Feb 2021 12:23:19 +0000 (14:23 +0200)
committerGitHub <noreply@github.com>
Thu, 4 Feb 2021 12:23:19 +0000 (14:23 +0200)
commita26eb8d4c63816eae9579c661712e47fa6fa0e18
tree83839d555291e5f5124fcb0df3d9cf537f0c4be3tree | snapshot
parentd0d2cfbda0f96b68293ce723bf776332d4ecd4decommit | diff
fix: use time-constant comparison for CSRF tokens (#12190)

This hardens the framework against a theoretical timing attack based on
comparing how quickly a request with an invalid CSRF token is rejected.

Backporting of #12188
server/src/main/java/com/vaadin/server/VaadinService.java diff | blob | history
Vaadin 6, 7, 8 is a Java framework for modern Java web applications: https://github.com/vaadin/framework