summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--server/src/main/java/com/vaadin/server/VaadinService.java12
1 files changed, 11 insertions, 1 deletions
diff --git a/server/src/main/java/com/vaadin/server/VaadinService.java b/server/src/main/java/com/vaadin/server/VaadinService.java
index ada9a8b875..ff1a7663d5 100644
--- a/server/src/main/java/com/vaadin/server/VaadinService.java
+++ b/server/src/main/java/com/vaadin/server/VaadinService.java
@@ -24,10 +24,12 @@ import java.io.OutputStream;
import java.io.OutputStreamWriter;
import java.io.PrintWriter;
import java.io.Serializable;
+import java.io.UnsupportedEncodingException;
import java.lang.reflect.Constructor;
import java.lang.reflect.Method;
import java.net.MalformedURLException;
import java.net.URL;
+import java.security.MessageDigest;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
@@ -1761,7 +1763,15 @@ public abstract class VaadinService implements Serializable {
.isXsrfProtectionEnabled()) {
String sessionToken = session.getCsrfToken();
- if (sessionToken == null || !sessionToken.equals(requestToken)) {
+ try {
+ if (sessionToken == null || !MessageDigest.isEqual(
+ sessionToken.getBytes("UTF-8"),
+ requestToken.getBytes("UTF-8"))) {
+ return false;
+ }
+ } catch (UnsupportedEncodingException e) {
+ getLogger().log(Level.WARNING,
+ "Session token was not UTF-8, this should never happen.");
return false;
}
}
generated by cgit v1.2.3 (git 2.39.1) at 2025-02-10 17:10:02 +0000