*/
private final String csrfToken = UUID.randomUUID().toString();
+ /*
+ * This token should be handled with care since it's used to protect against
+ * cross-site attacks in addition to general identifier duty.
+ */
private final String pushId = UUID.randomUUID().toString();
/**
import java.io.OutputStream;
import java.io.OutputStreamWriter;
import java.io.PrintWriter;
+import java.nio.charset.StandardCharsets;
+import java.security.MessageDigest;
import com.vaadin.server.ClientConnector;
import com.vaadin.server.NoInputStreamException;
streamVariable = uI.getConnectorTracker()
.getStreamVariable(connectorId, variableName);
String secKey = uI.getConnectorTracker().getSeckey(streamVariable);
- if (secKey == null || !secKey.equals(parts[3])) {
+ String securityKey = parts[3];
+ if (secKey == null || !MessageDigest.isEqual(
+ secKey.getBytes(StandardCharsets.UTF_8),
+ securityKey.getBytes(StandardCharsets.UTF_8))) {
return true;
}
import java.io.IOException;
import java.io.Reader;
+import java.nio.charset.StandardCharsets;
+import java.security.MessageDigest;
import java.util.Collection;
import java.util.logging.Level;
import java.util.logging.Logger;
}
/**
- * Checks whether a given push id matches the session's push id.
+ * Checks whether a given push id matches the session's push id. The
+ * comparison is done using a time-constant method since the push id is used
+ * to protect against cross-site attacks.
*
* @param session
* the vaadin session for which the check should be done
String requestPushId) {
String sessionPushId = session.getPushId();
- if (requestPushId == null || !requestPushId.equals(sessionPushId)) {
+ if (requestPushId == null || !MessageDigest.isEqual(
+ requestPushId.getBytes(StandardCharsets.UTF_8),
+ sessionPushId.getBytes(StandardCharsets.UTF_8))) {
return false;
}
return true;
projects / vaadin-framework.git / commitdiff